Friday, May 20, 2005

Irony, thy name is IBM


Picture credit: http://www.inthesetimes.com/
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIBM and North Carolina's Research Park Triangle are whining and moaning about the paucity of students entering computer science.

With a critical shortage of [IT] workers projected in the coming years, it's crucial that [universities] attract top students to the field, a local IBM official said...


Irony, thy name is IBM. Allow me to quote from another article, dated May 19th:

IBM's headcount in India is inching closer to the 25,000 mark as the Big Blue has ramped up its operations aggressively over the last few quarters. IBM increased its India employee base to 23,000 as of end-2004 compared to 9,000 at end-2003, a growth of some 150 per cent, said Shanker Annaswamy, Managing Director, IBM India...


Gee, I wonder if IBM's Everest-sized outsourcing effort has dampened the enthusiasm of any would-be computer science majors? Or whether IBM's recent announcement that they'd be slashing 10,000 or so jobs has had an impact?

Gina Poole, vice president of IBM's Academic Initiative, told about 120 university educators that an additional 2.2 million people will be needed in information technology-related professions by 2010. "A lot of today's students will be filling those needs," Poole said. "The demand is building up, but the supply isn't building up fast enough."


Hey, Gina: do you think IBM could take the time to clearly outline some career paths for Computer Science grads in the age of low-cost IT labor?

I perfectly understand the need to source from the lowest-cost provider able to meet IT's requirements. That's called "capitalism". We all need to accept that. What I don't understand are IT firms constantly harping on a C.S. talent shortage while shipping jobs overseas faster than Ben Johnson on Dianabol.

If these firms expect to attract beautiful minds to the computer science world, they better enunciate a career path: how the best and brightest Americans can coexist with cheaper, foreign talent.

Look, I'm a fortunate guy. I was weaned on real-time, Intel assembly code, moved on to mass-market consumer software products, and then migrated to large-scale enterprise IT and eBusiness. I worked for and with some of the smartest folks on the planet at places like Procter & Gamble.

But I also had to create my own Computer Science career path, with no guidance whatsoever. It's alot to ask a 19 year-old, picking a major, to go into a field where ostensible competitors may be earning $12,000 a year.

And, not to be maudlin, but it's also a national security issue. Information processing and information security will be two of the most strategic areas for the U.S. as it meets the challenges of the 21st century.

But it would behoove both industry and academia to explain just how C.S. graduates can coexist with labor dredged from the lowest-cost pools on the planet.

My oldest daughter is preparing for college. In the tenth grade, she scored something around a 1350 on the SAT's (old scoring - out of 1600), with no practice whatsoever. She's stubborn, brilliant, and a logical thinker. I'm recommending she consider law school.

Herald-Sun: IBM, colleges: More top students needed
 

Thursday, May 19, 2005

Preventing Surprise Attacks



Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe crew at Powerline noted Richard Posner's book, "Preventing Surprise Attacks." If you're at all concerned with the ramifications of the 9/11 Report and the subsequent rush to reorganize the intelligence community, it appears chock full of valuable insights.

Reviewers have pointed to its astounding clarity. Shouldn't the commission have studied other surprise attacks before coming to a variety of sweeping conclusions, including centralization of the U.S. intelligence apparatus?

For example, the Arab nations surprised Israel in the Yom Kippur War. An Israeli commission determined, after the fact, that the reason for the surprise was lack of decentralization in its intelligence services. The 9/11 Commission, on the other hand, determined the surprise of 9/11 was due to not enough centralization. The fact that there are divergent views on this matter is not surprising. What is surprising is that the 9/11 Commission failed to even investigate them.


In other words, Posner recognizes that the Commission's study was superficial and its organizational emphasis weak.

The commission, followed by Congress, exaggerated the benefits of centralizing control over intelligence; neglected the relevant scholarship dealing with surprise attacks, organization theory, the principles of intelligence, and the experience of foreign nations, some of which have a longer history of fighting terrorism than the United States; and as a result ignored the psychological, economic, historical, sociological, and comparative dimensions of the issue of intelligence reform.


Luckily, Posner posits, all is not lost. One outcome of the inevitable politicking related to intelligence reform: the actual reorganization parameters were left vacuous and vague, leaving it up to the President to shape any new intelligence structure.

Richard Posner: Preventing Surprise Attacks
 

Reaction: The Deadly Newsweek Riots


Picture credit: http://www.jimcarreyonline.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueHerein a collection of reactions to the Newsweek Riots. But first, it's worth noting the pronounced 'circle the wagons' effect we're seeing. Former Time Magazine bureau chief Margaret Carlson is simply the latest (ABC and CNN included) of those defending a horrid practice in her latest offering: "Newsweek Blunder Doesn't Absolve White House". Yes, I'm sure it's all the administration's fault... or perhaps Karl Rove is behind the curtain...

When ace reporter Michael Isikoff had the scoop of the decade, a thoroughly sourced story about the president of the United States having an affair with an intern and then pressuring her to lie about it under oath, Newsweek decided not to run the story. Matt Drudge scooped Newsweek, followed by The Washington Post.

When Isikoff had a detailed account of Kathleen Willey's nasty sexual encounter with the president in the Oval Office, backed up with eyewitness and documentary evidence, Newsweek decided not to run it. Again, Matt Drudge got the story...

...Why no pause for reflection when Isikoff had a story about American interrogators at Guantanamo flushing the Quran down the toilet?

Coulter

First, we all can agree that flushing a Koran down a toilet, if physically possible, would be both insensitive and rude, though Westerners generally have a higher tolerance threshold for such offenses. Put it this way: You could flush a Bible down the toilet in front of Goober in Kabul, and it's unlikely that Mayberry suddenly would be awash in blood.

Parker

Back in November 2003, Newsweek complained in a cover story that Vice President Dick Cheney "bought into shady assumptions" leading into the Iraq war, partly because of his "dire view of the terrorist threat." In its Koran story, Newsweek itself bought into shady assumptions, partly because of the media's dire view of the U.S. military. And so the media party continues its decline.

Lowry

If the forged documents at CBS and the phony story at Newsweek were just isolated mistakes, that would be one thing... [this week's ceremony honoring] Dan Rather makes it easier for the public to see that the forged documents and the fake story were not just odd things that happened to a couple of people but were symptomatic of a mindset...

Someone referred to the story about George Bush's National Guard service as "too good to check." ... That is almost certainly what happened with the story about Americans flushing the Koran down the toilet at the Guantanamo prison.

...All this goes back to a more fundamental problem with the mainstream media. Too many journalists see their work as an opportunity to promote their own pet political notions, rather than a responsibility to inform the public and let their readers and viewers decide for themselves.

Sowell

How many eerie parallels are there between the CBS scandal and the Newsweek scandal?

1. Both stories caused liberal media types to hunt for years to prove the urban legends dear to the hearts of the Bush-bashers...
2. Both stories relied on a single anonymous source. In CBS's case, he was "unimpeachable"; in Newsweek's, "reliable." ...
3. Both outlets made comical claims about their professionalism in a time of crisis...
4. Both stories were incorrectly declared to be "confirmed" by outside sources...
5. In both cases, the story, left unchallenged, would prove highly damaging to the Bush administration...
6. When both stories crumbled, the media outlets were initially reluctant to retract anything...
7. But even after the official retraction, the spin control continued. Dan Rather continued to insist, and other reporters followed suit, that while the documents may have been fabricated, the National Guard story was true. Newsweek's liberal media friends united around the theme that Newsweek will be proven right, that Koran-flushing was not "beyond the realm of possibility," as CNN's Anderson Cooper put it. On "Nightline," ABC's John Donvan intoned, "What really goes on at Guantanamo Bay, no one really knows."...

Bozell

The nature of the war -- a battle against faceless terrorism instead of enemy armies -- changes the nature of the job. The same for the seeming inexhaustibility of the present enemy. On and on this enterprise goes; where it stops, nobody knows.

Factor all that into the equation and still excuses aren't possible for a media establishment that displays, through what it tells and what it omits to tell, its dark suspicions of the policy to which its country has committed itself.

So Newsweek "regrets" having gotten "part" of its Guantanamo story wrong! It's a start, no doubt. But, oh, the cost of it in terms we haven't begun to tote up.

Murchison
 

Wednesday, May 18, 2005

Breaking Down another Phishing Scam


(Picture credit http://www.bbc.co.uk)
Excel-web sharing of spreadsheetsHere's another phishing scam-mail I just received. Let's break it down in a manner reminiscent of Genghis Kahn (or, at the very least, like an earlier blog entry).

I received an email from "Associated Bank, NA" with the subject heading "Account Notification". Let's take a look at the email source, which you can also view in your own email client by using "Show original message", "View Source", or similar means. I've abridged the email slightly for readability, but what you see here is essentially what I received.

From: "Associated Bank, N.A" <alerts@associatedbank.com>
To: xxx@att.net
Subject: Account Notification
Date: Wed, 18 May 2005 14:54:17 +0000


Well, this looks... okay. So far, so good.

Received: from 12-222-1-154.client.insightBB.com ([12.222.1.154])
by worldnet.att.net (mtiwmxc18) with SMTP
id <2005051814541701800592k0e>; Wed, 18 May 2005 14:54:17 +0000
X-Originating-IP: [12.222.1.154] ...
Received: from pfjklc (xg39.plumb-crazy.co.za [173.110.170.98])
by web2.plumb-crazy.co.za id <7BAFU4-096Ni4-00>
Wed, 18 May 2005 16:55:54 +0100
Received: from ISXU-74-951-325-210.plumb-crazy.co.za (localhost.localdomain [127.0.0.1]) by creole.plumb-crazy.co.za with Internet Mail Service (5.5.2657.72)
id <5Y9H11976I>; Wed, 18 May 2005 14:49:54 -0100
Message-ID: <20053669421256.81294.web@me18.zkw.plumb-crazy.co.za>
Date: Wed, 18 May 2005 17:53:54 +0200
From: "Associated Bank, N.A" <alerts@associatedbank.com>
To: xxx@att.net
Subject: Account Notification
MIME-version: 1.0


Hmmm... I wonder why Associated Bank is routing messages through a South African mail server owned by the domain "plumb-crazy"?

Hey, wait just a minute, mister... you can't fool me...

This is a multi-part message in MIME format.

------------SbEvvqI2rZ7Y
Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit


WASHINGTON - Hiring around the country picked up briskly in April, with employers boosting payrolls by 274,000 and raising hopes of better days ahead for jobseekers and the economy as a whole. The unemployment rate held steady at 5.2 percent. The latest snapshot of the nation's...


This is the first part of the email message content, which we were never intended to see. It's used for one purpose alone... to defeat spam filters. It does so by retrieving news content -- a valid news article -- that will help fool the filter into thinking it's legit.

------------SbEvvqI2rZ7Y
Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 7bit

...<p>Online Customer,
<p>To protect the safety of your access, employs some of the most advanced security online systems in the world and our anti-fraud teams regularly scan the Bank system for fraud activity.Associated Bank, NA, is committed to maintaining a safe environment for our online customers. %</p><p>In accordance with Associated Bancorp's Customer Agreement and to guarantee that your account hasn't been compromised, internet access to your savings account was limited. Your account access will remain limited until this problem has been resolved. Customer Support are remind you that on May 18, 2005 our Account Review Team identified some unusual activity in your account. Account Support recommend you to log in and perform the steps requisite to return your account access as soon as possible. Allowing your online access to remain blocked for a long period of time may effect in further restrictions on the use of your Debit Card account and possible account closure.<p><a id="MALL" href="http://www.graphicjester.com/redir.html"></a></p><div><a href="https://rolb.associatedbank.com/SITE/welcomeie.asp"><table><caption><a href="https://rolb.associatedbank.com/SITE/welcomeie.asp"><label for="MALL"><u style="cursor: pointer; color: blue">https://rolb.associatedbank.com/SITE/</u></label></a></caption></table></a></div></p>
<p>Please understand that this is a safety measure meant to help protect you and your Debit Card account. Thank you for your attention to this problem. Review Team apologize for any inconvenience.</p>
<p>Best regards,</p>
<p>Associated Bancorp, Banking Support</p>


Hmmm... there's a link to a site called "graphicjester.com"? Hey, wait a minute......

Hopefully that helps you understand how to analyze phishing emails and to detect their attempts to grab your private data.
 
With more publicity like this, maybe phishing emails will become as common as Dolph Lundgren sightings at the Oscars.
 

Weapons in Space


Picture credit: http://www.fantastic-plastic.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe Gray Lady reports that the Air Force is seeking President Bush's approval of a national security directive that would permit deployment of space-based weapons.

The proposed change would be a substantial shift in American policy. It would almost certainly be opposed by many American allies and potential enemies, who have said it may create an arms race in space.


These are probably the same people who opposed Reagan's plans in the eighties. Don't these people read history books? Actually, it would help circumvent an arms race in space just as Ronald Reagan's massive commitment to defense spending, and SDI in particular, ended the Cold War.

Any deployment of space weapons would face financial, technological, political and diplomatic hurdles, although no treaty or law bans Washington from putting weapons in space, barring weapons of mass destruction.


Let me guess what that means: the U.N. will oppose it. All the more reason to send John Bolton to Kofiville.

The focus of the process is not putting weapons in space," said Maj. Karen Finn, an Air Force spokeswoman, who said that the White House, not the Air Force, makes national policy. "The focus is having free access in space."


Exactly. Should we have abstained from developing nuclear weapons during World War II for fear of inciting a nuclear arms race with the Nazis? The United States is the greatest country on the face of the earth, inherently and provably peaceful, and it is imperative that we stay ahead of those whose intentions are opaque.

With little public debate, the Pentagon has already spent billions of dollars developing space weapons and preparing plans to deploy them.


The point being: this effort is probably underway.

The Air Force believes "we must establish and maintain space superiority," Gen. Lance Lord, who leads the Air Force Space Command, told Congress recently. "Simply put, it's the American way of fighting." Air Force doctrine defines space superiority as "freedom to attack as well as freedom from attack" in space.


Exactly. If we can't ensure the safety of our space-based platforms (e.g., satellite reconaissance), we place ourselves at the mercy of those would might blind us during hostilities.

A new Air Force strategy, Global Strike, calls for a military space plane carrying precision-guided weapons armed with a half-ton of munitions. General Lord told Congress last month that Global Strike would be "an incredible capability" to destroy command centers or missile bases "anywhere in the world..."

...In April, the Air Force launched the XSS-11, an experimental microsatellite with the technical ability to disrupt other nations' military reconnaissance and communications satellites.

Another Air Force space program, nicknamed Rods From God, aims to hurl cylinders of tungsten, titanium or uranium from the edge of space to destroy targets on the ground, striking at speeds of about 7,200 miles an hour with the force of a small nuclear weapon.

A third program would bounce laser beams off mirrors hung from space satellites or huge high-altitude blimps, redirecting the lethal rays down to targets around the world. A fourth seeks to turn radio waves into weapons whose powers could range "from tap on the shoulder to toast," in the words of an Air Force plan.


That's what I'm talking about.

Senior military and space officials of the European Union, Canada, China and Russia have objected publicly to the notion of American space superiority.

They think that "the United States doesn't own space - nobody owns space," said Teresa Hitchens, vice president of the Center for Defense Information, a policy analysis group in Washington that tends to be critical of the Pentagon. "Space is a global commons under international treaty and international law."


Fine. But until you get the U.N.'s Space Police patrolling up there, we'll take responsibility for maintaining order.

No nation will "accept the U.S. developing something they see as the death star," Ms. Hitchens told a Council on Foreign Relations meeting last month. "I don't think the United States would find it very comforting if China were to develop a death star, a 24/7 on-orbit weapon that could strike at targets on the ground anywhere in 90 minutes."


Better the U.S. with a death star... than China. That much is certain.

NY Times: Air Force Seeks Bush's Approval for Space Weapons Programs
 

Tuesday, May 17, 2005

When Outsourcing Makes Sense


(Picture credit http://www.mirasoft.com.ua)
Excel-web sharing of spreadsheetsHere's an example of a situation where it make perfect sense to outsource. Consider the criteria and guess who I'm describing:

  • when the quality of the product is already exceedingly low

  • when the outsourcers can't help but do as well as (or better than) internal staff

  • when customer expectations have already sunk to Marianas Trench-level depths


  • Yes, of course, I'm talking about Reuters! Or, rather, Al Reuters   is the term they prefer, I believe. In any event, their unionized employees are ramping up a campaign against the outsourcing of U.S. jobs:

    ...To support their position that outsourcing undermines the quality of Reuters' journalism, union activists point to a string of high-profile errors, most originating from a small newsroom set up last year in Bangalore, India. The errors include misidentification of the Polish city of Krakow as being in Portugal and saying Army Reservist Lynndie England, who was involved in the prisoner abuse scandal in Iraq, was commander of her unit rather than a private...


    The entire concept of 'undermining the quality of Reuters' journalism' seems like an oxymoron. If an outfit reports stories like a fabricated holy-book-flushing incident or John Kerry's re-energized 2008 Presidential campaign... well, hey, we all make misstakes [sic] sometimes!

    Truthfully it all sounds pretty much par for the course for Al Reuters   - I really don't see the problem here, do you? Given that the whole MSM has outsourced much of their fact-checking work to the blogosphere, does this really come as a surprise?

    Perhaps Dan Rather, Eason Jordan, and -- soon, perhaps -- Michael Isikoff could comment on the news outsourcing trend from their perspective.

    Newsday: Union protests over Outsourced News
     

    Big Business Turns its Back on Outsourcing


    Picture credit: http://cpsu.org.au
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueFrom Silicon.com's management pages comes this interesting rehash of a Deloitte Consulting report on outsourcing. Bottom line: the companies that jumped on the outsourcing bandwagon first are now the fastest to jump off the wagon.

    The interesting aspect, of course, is the cost-savings factor that never materialized. And why would businesses generally not save any money outsourcing?

    Consider the geographic, language and time disconnects between business customers and development teams. With those disconnects in place, you'd better have world-class business analysts, architects, and project-managers acting as liaisons. And we all know how prevalent those folks are. They're about as common as $150K starter homes in Beverly Hills, California.

    More than two thirds of respondents to the Deloitte survey said they have had "significant" negative experiences with outsourcing projects.

    One in four participants have brought operations back in-house after realising that they could be provided better – and in some cases at a lower cost – internally.

    Cost savings expected from outsourcing did not materialise for 44 per cent of respondents, and nearly two out of three ended up paying for services they thought were included in the contracts with vendors...


    Silicon: Big Businesses Turn Their Backs on Outsourcing
     

    .NET pros and Cons


    Picture credit: Amazon UK
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueTim Anderson's IT writing site has an interesting discussion board that lists .NET pros and cons. I've summarized some of the topics, below, to give a sense of the broad discussion areas. Of course, the fact that it's running on a PHP-based forum sends some sort of message...

    >>>>>
    For: No-touch/Click-once deployment
    Against: The Microsoft factor
    For: Code access security
    Against: Executables easily decompiled
    For: Supports multiple languages
    Against: GUI applications are slow
    For: Linux support with Mono
    Against: Large runtime needed
    For: Easy component sharing
    Against: Memory usage is huge


    .NET Pros and Cons
     

    Monday, May 16, 2005

    The Iterative Phishing Scam


    (Picture credit Microsoft Corporation)
    Excel-web sharing of spreadsheetsThe crooks known as phishers have a brand new scam, according to News.com:

    ...the phishing e-mails arrive at bank customers' in-boxes featuring accurate account information, including the customer's name, e-mail address and full account number. The messages are crafted to appear as if they have been sent by the banks in order to verify other account information, such as an ATM personal-identification number or a credit card CVD code, a series of digits printed on the back of most cards as an extra form of identification.


    This is an especially dangerous scam because it leverages real consumer data that the bad guys may have already collected through other means. Consider the ChoicePoint debacle, for example, or any one of another recent mass-disclosures of consumer data.

    One hypothetical scenario: a bogus merchant who has already collected consumer data from ChoicePoint is now mass-mailing these phishing messages. The intent would be to collect even more data from victims. This time, perhaps they'll get an ATM PIN to augment the bank account number they've already stolen.

    Just a reminder: if you're interested in seeing how to detect phishing and fight back against the phishers themselves, check out this previous blog entry.

    In the mean time, I'd double-check every email from a supposed financial institution by voice-calling the firm.

    News.com: New phishing attack uses real ID hooks
     

    Really, really bad idea: REAL ID


    Picture credit: EU Politix
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe invaluable Bruce Schneier led his most recent Cryptogram newsletter with a piece on REAL ID. The REAL ID act creates a set of uniform rules for how the states issue driver's licenses. The rules go into effect within three years. What's really strange is that the bill happened with little fanfare, virtually no debate in Congress, and was attached to completely unrelated legislation (military funding in Iraq).

    Aside from creating a virtual national ID card, Bruce points out that it will make identity theft easier, not harder. Unlike many European countries with strong legal penalties for disclosure of privacy data, the US has no laws that protect consumers' privacy data.

    The incentive for companies like ChoicePoint to broker information about your national ID card will be immense. Many businesses will want to scan your national ID card (say, to prove age in a restaurant serving alcoholic beverages) and they'll also want to sell that information to aggregators like ChoicePoint. Without any legal framework for protecting consumer data, it's certain that identity theft will rise -- not fall -- with REAL ID.

    And the unintended consequences of the law will be devastating.

    If, for instance, an illegal alien can't get a driver's license, that person will simply drive without a driver's license. And therefore without any automobile insurance. The result will be a higher number of uninsured motorists and a resulting increase in accidents in which one or multiple motorists have no insurance. The repercussions will be costly and painful: dramatically higher insurance premiums and all sorts of litigation.

    If you haven't heard much about REAL ID in the newspapers, that's not an accident. The politics of REAL ID was almost surreal. It was voted down last fall, but was reintroduced and attached to legislation that funds military actions in Iraq. This was a "must-pass" piece of legislation, which means that there was no debate on REAL ID. No hearings, no debates in committees, no debates on the floor. Nothing. And it's now law.

    We're not defeated, though. REAL ID can be fought in other ways: via funding, in the courts, etc. Those seriously interested in this issue are invited to attend an EPIC-sponsored event in Washington, DC, on the topic on June 6th. I'll be there.

    Resources:

    http://www.epic.org/privacy/id_cards/
    http://www.unrealid.com/

    EPIC's Washington DC event:
    http://www.epic.org/events/id/savethedate.html

     

    Sunday, May 15, 2005

    Jihad Jane


    Picture credit: Jane T. Christensen
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueFrontpage Magazine's Mike Adams points us to an especially egregious case of moonbatitis academia   at North Carolina Wesleyan College. Jane Christensen is a Political Science prof there and the heir apparent to nutjob Ward Churchill.

    If you want to take a gander at her official, faculty web page, make sure you're sitting down. Yes, the picture that accompanies this story came straight from her faculty web site. Other gems from her web site include:

  • "Government Prior Knowledge and Involvement in the September 11th Attacks Archive"

  • "Iraqi Resistance Report 4/23/05"

  • "NWO PLANS TO DEPOPULATE THE EARTH"

  • "Mossad Planning Another Attack in US"

  • "THE ISRAELI CONNECTION TO 9/11"

  • "Israelis Planning Targetted Kills in US"

  • Can't the Left make up its mind: was Bush shocked into inaction while reading 'My Pet Goat'... or calmly awaiting the attacks because he knew about them?

    How about calling the Iraqi terrorists, the murderers of untold numbers of men, women, and children, "the resistance"? Resisting what? A democratic government?

    Oh, and blaming the Israelis for 9/11? Lots of evidence for that has turned up, right?

    If Jihad Jane is at all typical of liberal arts poli sci professors, I'm truly frightened for the future of our country.

    Feel like doing something? Here's the contact information for the president of the college. Politely call or email him. Ask him to reconsider Jane's role at the college. Perhaps she should be teaching science fiction, for instance. It appears she's already really good at that.

    Contact University President Ian D.C. Newbould
    Telephone: 252-985-5140
    Fax: 252-985-5199
    Address: 3400 N Wesleyan Blvd., Rocky Mount, NC 27804-9906
    Email address: INewbould@ncwc.edu


    Contrast Jihad Jane with fired Depaul University instructor Thomas Klocek. Why was Klocek terminated? He argued with pro-Palestinian students at a campus activities fair last fall. Let me repeat that. He argued with some pro-Palestinian students.

    It's worth asking why Klocek lost his position while other "instructors" like Jihad Jane remain.

    Frontpage: Jihad Jane
     

    Saturday, May 14, 2005

    Detecting and Fighting Phishers


    Picture credit: Stern
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueHere's another wonderful phishing email I just received. Not familiar with the term phisher?

    Key Bank defines it as, "a fraudster [who] spams the Internet with email claiming to be from a reputable financial institution or e-commerce site. The email message urges the recipient to click on a link to update their personal profile or carry out some transaction. The link takes the victim to a fake website designed to look like the real thing. However, any personal or financial information entered is routed directly to the scammer."

    The scary thing is that, according to the Houston Chronicle, about 5% of adults receiving a phishing email provided some sort of personal information to the phisher.

    Want to fight back? We'll break this phishing scheme down, show you how to trace back a phishing email, and -- in some cases -- alert the parties who, wittingly or unwittingly, provide phishing infrastructure.

    First, let's look at the email I received as it appeared in my email client:


    PayPal User,

    PLEASE READ THIS NOTICE CAREFULLY.

    You have received this Notice because the records of PayPal, Inc. indicate you are a current or former PayPal account holder who has been deemed eligible to receive a payment from the class action settlement in accordance with PayPal Litigation, Case No. 02 1227 JF PVT, pending in the United States District Court for the Northern District of California in San Jose.

    In your specific case you have been found to be eligible for a payment of $252.99 USD.

    The aforementioned settlement funds may be transferred directly to your bank account providing you have a linked card. The funds may not be credited directly to your PayPal account as this would render Paypal to be accumulating interest and thus profiting on litigation settlement funds which contravenes Federal law.

    Your bank account will be credited within 7 days upon submission of account details.

    To credit your bank account please click here*...

    *Hyperlink and additional legal-sounding mumbo jumbo removed


    Step 1 - click the "view source", "show original message" or equivalent button that exposes the original, underlying message text. This will allow us to see the message header, which tells us how the email got to our inbox.

    Received: from clust05-www02.powweb.com ([66.152.98.52])
    by ***.att.net (***) with ESMTP
    id <***>; Sat, 14 May 2005 05:30:01 +0000
    X-Originating-IP: [66.152.98.52]
    Received: by clust05-www02.powweb.com (Postfix, from userid 10775)
    id **********; Fri, 13 May 2005 21:58:46 -0700 (PDT)
    To: ***@att.net
    Subject: Award Notification
    From: PayPal-Awards
    Reply-To: costumer@award.paypal.com...


    Aside from the comical misspelling of the reply-to address ("costumer"?), note how the spam arrived at our door. The mail was sent through one of powweb's mail servers. So, our first action-item is to email or call Powweb (for contact information, I simply went to their web site to find a toll-free number (1-877-476-9932) and a support email address (sales@powweb.com and support@powweb.com). You can forward the phishing email to them and lodge a complaint with both the sales and support departments.

    Step 2 - let's see where the information collected by someone naive enough to fall for this scam really goes. While we're still viewing the email source (the raw text of the mail message), let's look for some suspicious URL's or form submission actions.

    <BR><BR>

    <B>To credit your bank account please <a href="http://140.135.9.161:443/">click here</a>.</B>

    <BR><BR>


    Hmmm... why the address 140.135.9.161, if this is a message from PayPal? Well, obviously, it's not from PayPal. Let's find out where this phishing site is hosted. Instead of tracking the site back from our PC (called a "trace-route"), we'll do it from a web site designed to help us for reasons just like this one. One I particularly like is called DNS Stuff. We'll go there and use the tracert tool to figure out the location of the phishing site.

    Here's what we come up with: ecad.el.cycu.edu.tw [140.135.9.161]. So, somewhere in Chung Li, Taiwan (I just surfed to their central web site at http://www.cycu.edu.tw/), a bad guy has taken over at least one of the University machines for nefarious purposes. Maybe it's just an "entrepeneurial" student. Or maybe it's a remote user who's co-opted one or more of their machines.

    Let's take a look at the phishing site (I went through an anonymous proxy to disguise my real location).


    Phishing Site: PayPal


    This looks so good, no wonder 5% of the general public falls for it.

    Second action-item: let's contact the University and get their IT staff on the case. From their web site, we can find phone and fax numbers (886-3-265-9999 and 886-3-265-8888, respectively). Since I can't read Taiwanese, I use a Google search to find some email addresses. I come up with a couple: shhuang@cycu.edu.tw and eitc@cycu.edu.tw. Let's email them.

    What should our message be? A forwarded version of the phishing email with a polite introduction. Subject heading: Phishing Scam at cycu.edu.tw.

    Please be advised that at least one computer on your network appears to be part of a phishing scam, which may indicate significant criminal activity. The machine in question is:

    ecad.el.cycu.edu.tw [140.135.9.161]

    Also, please be advised that the authorities are being notified.


    Hopefully, that gets their attention. Last action-item? Don't forget to delete this scum from your inbox.
     

    Thursday, May 12, 2005

    Exceptions vs. Return Codes, part 912


    Picture credit: Congreve
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueHee hee. Joel's at it again, raising cain in the age-old return-codes versus exceptions argument. Personally, I think it's case-closed for return codes when both Raymond Chen and Joel Spolsky weigh in that exceptions are hazardous, to say the least. But, hey, I'll throw in my two cents (*sigh*, again).

    First, let's see what Joel has to say in his latest missive.

    Here’s the thing with exceptions... Your eyes learn to see wrong things, as long as there is something to see, and this prevents bugs. In order to make code really, really robust, when you code-review it, you need to have coding conventions that allow collocation. In other words, the more information about what code is doing is located right in front of your eyes, the better a job you’ll do at finding the mistakes. When you have code that says

    dosomething();
    cleanup();

    ...your eyes tell you, what’s wrong with that? We always clean up! But the possibility that dosomething might throw an exception means that cleanup might not get called. And that’s easily fixable, using finally or whatnot, but that’s not my point: my point is that the only way to know that cleanup is definitely called is to investigate the entire call tree of dosomething to see if there’s anything in there, anywhere, which can throw an exception, and that’s ok, and there are things like checked exceptions to make it less painful, but the real point is that exceptions eliminate collocation. You have to look somewhere else to answer a question of whether code is doing the right thing, so you’re not able to take advantage of your eye’s built-in ability to learn to see wrong code, because there’s nothing to see.


    It's worth repeating the highlighted sentence, because it's true no matter what the pro-exception crowd says: You have to look somewhere else to answer a question of whether code is doing the right thing. Because there's nothing to see.

    And that is why you will never be permitted to rely on an exception-based infrastructure if you write mission-critical code. There's no argument about that. None. If you write code for an OS, the FAA, NASA, a database engine, or a nuclear reactor, or any other sphincter-clenching application*, you will not be permitted to rely upon exceptions. Period.

    * Defined as any application that, the first time you run it in a production environment, causes: (a) your blood pressure to soar to double its normal levels, (b) you to break out in a cold sweat, or (c) under extreme circumstances, forces you to exert conscious control over certain bodily orifices.


    Quick summary: we won't be able to use exceptions if we're writing code for Joel's proverbial open-heart-surgery circular saw. By the way, if you don't agree with this contention, please take a close look at mission-critical software certification specs like DO-178B. Then get back to me.

    The reason exceptions are verboten is simple: the code can't be reviewed and validated in any contained fashion.

    And now that we've established that exceptions are forbidden in the adult world, I have a question for exception aficionados:

    Where do you draw the line between mission-critical and non-mission-critical software?

    I'd just like some guidance here: when is it okay to go for anything less than bullet-proof code? What are the rules for delineating between mission-critical and non-mission-critical?

    Update: In the comments area, Gil wrote the following. I thought it was worth calling out, for obvious reasons:

    I think you've already provided the most useful definition possible of mission-critical software: any software for which it's required to meet an existing standard of mission-critical reliability, like DO-178B or an equivalent. It wouldn't surprise me at all to find that most, if not all, such standards, don't mention or explicitly reject exceptions. This isn't surprising since such standards tend to be very conservative and to rely on time-tested best practices, for the same reason that the chips in the space shuttle are 486s.

    The point I think you're getting at is that even pro-exception coders won't use exceptions in life-threatening situations; by getting them to draw a line, they're implicitly accepting that exceptions are not a good coding practice, to be followed by the 2 in the 1-2 punch of "if they're not a good coding practice when lives are at stake, why would they be considered good when the software is less than life-threatening? Exceptions are generally bad, and should never be used. QED."

    The reason no ones drawing the line you're asking them to draw is because they recognize the dilemma you're presenting and are refusing to accept the initial premise.


    Exactly.

    Joel: Raising cain
     

    Google, DNS Cache Poisoning, and Phishers


    (Picture credit Quantrimang)
    Excel-web sharing of spreadsheetsInformationWeek reports that Google was knocked offline on Saturday. The cause: DNS Cache Poisoning. In a nutshell, bad guys can take advantage of various weaknesses in the DNS protocol (e.g., a combination of guessing sequence numbers and spoofing IP addresses) to pollute the caches of legitimate name servers. A good explanation of the history of DNS cache poisoning was published a while back on the SecurityFocus site.

    In addition, TechWeb reports that Phishers are also starting to use DNS weaknesses to their advantage. Phishers are the persons or organizations running bogus websites that mimic, say, Citibank... and try to capture authentication and identity data from legitimate customers. Having captured that information, the Phishers attempt to use it for financial gain.

    Aside from simply hosting bogus DNS servers on co-opted machines, they can also attempt nasty tricks like polluting hosts files on client machines. The effect? You think you're logging into Citibank, but you're really authenticating to a zombie Dell PC in Skokie, Illinois.

    Here's hoping that a robust generation of DNS software and browsers, sufficiently innoculated against these sorts of attacks, comes sooner rather than later.

    The Dailydave mailing list laid out the process.

    "The hostname that is hosting the phishing site is served up by five different name servers. Those five name servers are on home computers residing on networks such as Comcast, Charter, etc.

    "The name servers are using some sort of round-robin DNS to serve up five different IP addresses for the phishing site, and the five IP addresses used are changing every ten to fifteen minutes.

    "All of this seems to be a distributed phishing scam controlled by some sort of bot network. This type of phishing site organization is virtually impossible to get shut down, other than having the registrar of the domain deactivate the domain. Anyone that has ever worked with a registrar on something like this knows that it's like speaking to a wall."

    "These DNS servers can change the IP address of the fake site over and over again," said Hubbard. "Say the fake site is hosted in China, but is quickly shut down. The phisher just has to change the bogus DNS server and anyone clicking on a phishing link would get sent to another machine, maybe now in the U.S., that's hosting the phony site."


    p.s., Did you know Google offers a H4x0r search engine?

    p.p.s., On an unrelated topic, Google just bought the mobile social networking service Dodgeball. Combined with Google maps, the possibilities are amazing.
     

    Could the Saudis Blow Up Their Own Oil Infrastructure?


    (Picture credit BBC News)
    Excel-web sharing of spreadsheetsFrontpage Magazine features a fascinating article by Daniel Pipes. The topic: the possibility that the Saudis have booby-trapped their oil infrastructure to prevent anyone else from taking control.

    In what sounds like the far-fetched plot of a Bond film, Pipes describes Gerald Posner's new book about US-Saudi relations. Posner, the investigative reporter and author of ten books, reportedly based this assessment on a variety of "intelligence intercepts". Supposedly spurred on by veiled threats from the US State Department during the oil crush of the 1970's, the Saudis came up with their own plan to repel any would-be takeover.

    This became a top-priority project for the kingdom. Posner provides considerable detail about the mechanics of the sabotage system, how it relied on unmarked Semtex from Czechoslovakia for explosives and on radiation dispersal devices (RDDs) to contaminate the sites and make the oil unusable for a generation. The latter possibilities included one or more radioactive elements such as rubidium, cesium 137, and strontium 90.

    Collecting the latter materials, Posner explains, was not difficult for they are not useable in a nuclear weapon and no one had the creativity to anticipate Saudi intentions:

    It is almost impossible to imagine that anyone could have thought a country might obtain such material … and then divert small amounts internally into explosive devices that could render large swaths of their own country uninhabitable for years.


    Saudi engineers apparently then placed explosives and RDDs throughout their oil and gas infrastructure, secretly, redundantly, and exhaustively.

    The oil fields themselves, the lifeline for future production, are wired … to eliminate not only significant wells, but also trained personnel, the computerized systems that seemingly rival NASA’s at times, the pipelines that carry the oil from the fields …, the state-of-the-art water facilities (water is injected into the fields to push out oil), power operations, and even power transmission in the region.


    Nor is that all; the Saudis also sabotaged their pipelines, pumping stations, generators, refineries, storage containers, and export facilities, including the ports and off-shore oil-loading facilities...


    Pipes: Will the Saudis Blow Up Their Own Oil Infrastructure?
     

    Wednesday, May 11, 2005

    The Five Most Shocking Things About the ChoicePoint Debacle



    Excel-web sharing of spreadsheetsA senior editor at CSO Online, Sarah Scalet, shreds ChoicePoint in impressive fashion, highlighting some of the concerns I mentioned in several earlier blog-missives.

    One of the most amazing aspects to the aftermath of the incident were statements made by ChoicePoint's CISO, Rich Baich, who claimed that it really wasn't his concern:

    "Look, I'm the chief information security officer. Fraud doesn't relate to me."

    Wow.

    So, Rich, who would this sort of incident relate to, if not the CISO? Wouldn't some CISOs have established processes for analyzing access to the crown jewels? Say, detecting anomalous activity, or creatively discerning whether customer activities match up with their claimed size and role in the market? Or is the data held in the various repositories really not that crucial to ChoicePoint's business?

    ...The security community seems skeptical of Baich's argument too. CISOs have long asserted that their responsibilities ought to encompass all aspects of information protection-whether a vulnerability stems from insider misuse, an outside hack or (in ChoicePoint's case) a social engineering scam. It seemed an especially convenient moment for Baich to argue, uncharacteristically, that his job description is actually narrower than one would assume...


    It all really does translate back to process. You could have orchestrated a series of stellar vulnerability assessments, indicating that you'd closed all the holes known to exist... and then, only a week later, be utterly exposed to a catastrophic crime through a zero-day exploit. Good processes, creative and committed people, and -- least of all -- technologies together need alignment under the management of a CISO willing to take responsibility for all of IT. Not just firewalls and network monitoring - but application development, databases and other repositories, remote access, the gamut of offerings that make up today's IT world.

    ...It would also behoove companies to review their use and/or implementation of IT security best practices, such as the ISO 17799:2000 framework, as well as the NIST 800 series practices for sound IT security management. IT's one thing to have the "CISO of the year in the State of Georgia" at the helm of your security function, but it's far better to have "state of the art" security best practice processes integrated into your business. Which would you prefer? I prefer the latter...


    An "award-winning" CISO unwilling to tackle the tough problems of information security is like a brand new Mercedes convertible... without an engine. On paper, it looks great. It just won't get you from point A to point B.

    CSO Online: The Five Most Shocking Things About the ChoicePoint Debacle
     

    The Political Influence of the Blogosphere



    Excel-web sharing of spreadsheetsIf you've wondered what impact the blogosphere made on presidential politics in 2004, wonder no more. The analysts at Blogpulse have dissected the topography of the blogosphere -- both left and right -- and have come to some interesting conclusions.

    Coverage by political leaning was fairly balanced. Of 1,494 blogs that met the researchers' definition of influence, 759 were liberal and 735 were conservative... Even though numbers of blogs were fairly balanced, conservative blogs showed a greater tendency to link to other blogs (84% linked to other blogs, 82% received a link) compared to liberal blogs (74% linked to other blogs, 67% received a link). That behavior is captured in the [accompanying] graphic...


    Blogpulse: Political Influence of the Blogosphere
     

    Fending off a DDOS Attack


    (Picture credit SIGgraph)
    Excel-web sharing of spreadsheetsI usually don't link to Slashdot articles simply because they're so widely read. But this one is well worth the ten to twenty minutes in case you happened to miss it. It describes how an owner of a gambling website, faced with an extortionist, went through hell and back attempting to fend off a massive distributed denial-of-service (DDOS) attack.

    Slashdot: Taking on an online extortionist
     

    Eight Gigs


    (Picture credit IBsys and AP)
    Excel-web sharing of spreadsheetsHitachi recently introduced its 8 gigabyte "Mikey" hard-drive. Shown here -- with dominos for perspective -- it can store several thousand MP3's in a tiny form-factor. Hitachi is basically saying to its competition (with apologies to Boyz in the Hood): "Domino, m*********r."
     

    Book Review: Frederick Forsyth's Icon



    Amazon - Icon, by Frederick ForsythThough it was published in 1996, Icon is especially relevant today, given Russia's wavering stance on democracy. Icon looks several years into the future, to a day where Russian crime syndicates, a teetering economy, and an American-style public relations campaign conspire to carry a man named Komarov to the office of president.

    The British embassy in Moscow, however, accidentally acquires a document Komarov never meant to make public. Called The Black Manifesto, it describes his plans to consolidate power, recapture the breakaway Soviet Republics, and launch a program of genocide against any religious group that could oppose him: Christians, Jews, and Muslims alike. In this effort, he is funded by a major mafia syndicate and has the support of a para-military organization not unlike Hitler's brown-shirts.

    While the manifesto alone is not enough to stir official Western government action against Komarov, it is sufficiently worrying that senior officials feel they must act. Retired British spymaster Sir Nigel Irvine, a hero of the Cold War, is brought back into the fold. And spyrunner Jason Monk, formerly of the CIA, is unretired.

    Like chessmasters, Irvine and Komarov move their pieces across the board in this brilliant, complex and wide-ranging novel. With the fate of Russian fascism -- and a Nazi-style genocide -- hanging in the balance, Irvine and Monk are the last, best hopes for a democratic Russia.