In the Wrong Business

Or at least, on the wrong side. From this Washington Post feature on computer crime (oops, that's so 80s, I meant "bot farming"):

He says his work earns him an average of $6,800 per month, although he's made as much as $10,000. Not bad money for a high school dropout.

It's a little hyped, but the feature is a good morning read.

One of the interesting facets of the hero of the story is that he's American, and more specifically, not Estonian or Russian or Chinese or Brazillian. Given all the press and crimeware work around phishing, I was beginning to think USian kids had all given up on nefarious hobbies and are now only interested in modding games and pirating hentai. Glad to see we're still in the online hooliganism game. :)

Phishing Bad Examples

I harped on this during my talk at RSA on phishing, and so did Aaron Emigh of Radix Labs (but he had way cool screenshots, so his ranting was more effective). Phishing Bad Examples are e-mail and website communications from companies which are pretty much indistinguishable from phishing messages -- they contain ratholes of redirects, obfuscated links, SSL in the wrong places, and strange third-party cousin domains.

Today, I got what I think is a phishing e-mail. But, thanks to this current state of affairs, I can't be 100% sure. It claims to come from Cox Communications, my cable ISP provider, and it hit me today, which is in line with my billing cycle. Except it addresses me by the wrong name, and gives me a link to some crazy domain I've never heard of.

So, those are the marks against. But I can't tell for certain because while the web site is still there, it doesn't actually ask me for any account information (just tells me to call them), it doesn't attempt to deliver any malware or exploits or anything, and the site kind of looks like a legit mass-mailing marketing company.

The disturbing part is that it was addressed to my super-secret e-mail address that I use for paying ebills through my bank, instead of my normal address or any of my spam-collection addresses. (I get lots of spam these days.)

So, if it's real, it's a terrible Bad Example of how not to do e-mail updates. If it's fake, it's probably a polling message to determine liveness of e-mail addresses (it comes with a web bug to confirm reciept, too) to phish me later, and the attacker in this case is working with insiders or has otherwise compromised Cox's operational security.

I've already informed Cox. We'll see how it turns out. If you'd like to check out the web site, it's at:

http://sdm3.rm04.net/servlet/Mail
View?ms=NDY5NTcwS0&r=MjM0MTYwMjUyOQS2&
j=MTA2ODAxMDQS1&mt=1

The URL above is wrapped on purpose, so you'll have to cut and paste. The info there is a real hash identifier -- substituting random values gives an error-ish response. Note that this site may well be operated by the Mafia, so don't go there unless you know what you're doing and you're properly sandboxed and all that.

Autopatching? Nah, it's Only 2006

Over the weekend, I had a fit of consumer confidence, and bought myself a new $100 ATI Radeon 9550 video card. Being a naive and trusting sort, I hit the "Express Install" on the shipped CD, and it was pretty good -- ran through all the zillions of prompts automatically. This was the first time I can recall that "Express" really means "Express."

Unfortunately, it didn't work so well. It occurred to me about three quarters of the way through that I'm going to have to do this all over again if I want the latest and greatest patches. Which brought to mind the question of why, in the U.S. market, full of consumer broadband, do I have to do this install/download/patch dance any more? It seems like any software vendor should build into the installer an out-of-the-box option of, "Do you want to download the latest patches from your Internet connection? Note that this may take an extra 10 minutes."

It seems like this would be one really good way to get the brand new end user out of the unpatched backwater of shrink-wrapped CD's in the shortest amount of time, especially if the installer is smart enough to use the local copy and just download a binary diff file full of the patches, if it can do some simple ping tests to ensure connectivity.

Heck, come to think of it, this is how Debian Linux and FreeBSD work now a-days, pretty much. But, for some reason, this is beyond the prowess of all those mighty mainstream Win32 developers. Is there some kind of marketing reason not to do this?

Oh, and here's a troubleshooting tip I couldn't find on Google: If, after installing your brand new ATI Radeon 9550, you get horrid startup errors involving cli.exe and other ATI helper applications, just run through add/remove programs and uninstall anything that says "ATI" on it (except the "Drivers" entry, of course). Yes, this means you miss out on all those fifty zillion extras, but if all you're after is playing Evil Genius and Civilization IV without stutters, this will do the trick.

RFID-Zapper

I ran across a neato technology today: a pocket EMF pulse gun, aka, the RFID-Zapper. Since it's been reported that the U.S. e-Passport technology standard has been demonstrated as insecure in the Netherlands, destroying your RFID in order to protect your identity may become important while you're overseas in a year or two.

Strangely, I can't find anything at the U.S. State Department which says for sure if a passport with a busted RFID tag is still valid for re-entry, though I expect that the human-based interview will get you across the border with only a little extra hassle.

Piracy for Ten Bucks

I've been playing a lot of Civ4 lately, instead of, oh, bettering myself or preparing for RSA. But during the day, my wife plays a lot of Reader Rabbit (usually with a kid around).

Because of this, switching CDs is a major hassle, and I feel like such a moron every time I think about this -- I'm a security dork who doesn't have the wherewithall to just edit out the check-the-CD bits on my Civ4 executable. At the end of the day, I'm a network guy, not an internals guy. Oh well.

But now I can pay these guys ten bucks to automate the process for me. How neato. Not that I will, because that would violate my EULA I imagine, and I'm a good person. But it's nice to know it's there, and it's certainly a lot easier than the alternative -- actually working at it.