Sadly the answer is “yes”, these scams do still work. The FBI continues to report hundreds of millions of dollars in losses to these frauds each year. Some are this blatant but some are quite a bit more subtle. Variant scams target non-profits. One recent wave alleged that the charity was the beneficiary in an unnamed donor’s will. A surprising number of charities let blind hope get in the way of common sense. Wikipedia has an extensive list of the variants.

So what can you do about it? Some people retaliate. There are whole organizations dedicated to wasting the scammers’ time. They respond with equally false stories about how they are “excited to be notified about the windfall” but because of a religious tenet, need a picture of you (the scammer) “in white robes balancing a loaf of bread on your head while holding a fish under each arm” before they can send the money. Here is one group that collects and publishes the ‘trophy’ pictures of scammed scammers.

While it’s emotionally satisfying to think about retaliation, I strongly recommend that you just delete them. I also encourage you to think about friends and family who might not be as aware of these scams as you are. Do you have a dependent elder who is more trusting than he/she should be? Do you have a friend or co-worker who is a great person but a bit gullible? Send them copies of these scams so they learn what to look for. Help them to set up the spam filters and other computer protections. These scams are amazingly profitiable. They will continue as long as we continue to fall for them.

Some background: The broader name for this kind of scam is the “advance-fee fraud”. Following the collapse of Nigerian economy in the 1980s, a large portion of the educated and computer-savvy population were unable to find gainful employment and turned their skills to crime in order to feed their families. The preponderance of such scam emails coming from Nigeria’s 419 area code led to the current name even though the same scam has also been found originating from England, Spain, Ireland, USA, Canada, The Netherlands, Australia, etc. An older version of this scam was carried out by regular mail in the early 1900s under the Spanish Prisoner name.

Recently, there has been a great deal of chatter about eliminating the filibuster – the rule within the Senate that effectively allows a single senator to hold up a bill by continuing to talk about it for hours, days or even weeks on end. The filibuster has been rather famously used to disrupt the passage of key bills and nominations proposed by the majority power. Filibusters are being described as a prime example of partisan bickering and legislative gridlock.

I disagree. Yes, the filibuster can be abused for purely partisan purposes but at its core the filibuster is a way for the minority party (whether currently Democrat, Republican, Whig or Federalist) to keep a stake in the operations of government and to continue to influence debate. Despite the threats about the “nuclear option”, neither party would be served by the elimination of the filibuster.

Much more importantly, the filibuster is a check against the tyranny of the majority. By allowing a mechanism to raise the threshold for a vote from simple majority (50% plus 1) to a super-majority, it acts as a check against the ability of the majority to vote themselves unlimited privileges. 51% of the population could, for example, decide to fund the government by taxing just the other 49% – or less obviously, to skew the burden of taxation onto the minority. Or the 51% could vote in a particular moral code which may not be held by – may even be anathema to – the 49%.

The majority could do so even in a situation where the the 51% felt only weak agreement but the 49% disagreed vehemently. Our simple majority voting system is prone to bias and sub-optimal decisions when the voting groups have different degrees of preference for a result or where multiple options could/should be considered. (Wikipedia has an excellent discussion of alternative voting structures, some of which are less susceptible to this bias though they each have their own limitations in turn.)

Our legislative system is also susceptible to a recency bias. Get 51% today and even if you can only keep your majority for the time it takes to vote, the effects will long outlast the majority opinion. In theory, it should be as easy to rescind a law as it was to pass it but in practice, it is remarkably hard to undo a law even in the face of convincing evidence that it is ineffective.

The filibuster is not the only check and balance in our system against the tyranny of the majority and recency bias and it’s not a perfect one but it is an important one. A 61% majority might still impose their will on the remaining 39% but that higher threshold gives the affected minority a chance to raise the stakes and to force additional scrutiny on the debate.

Now there are those who say that the filibuster was a mistake – a minor omission in the procedural rules of the Senate that took on a life of its own. If it was a mistake, it ranks as an outstanding example of serendipity. It subtly encourages one arm of the government to be more deliberative and circumspect in their aims.

I will concede, however, that some of the procedural rules changes within the Senate make it easier to use than was historically the case. In particular, when the Senate allowed “tracking” in early 1960s, the connection between the objection and visible debate was broken. Jimmy Stewart in Mr Smith Goes to Washington is no more. Under the current rules, a Senator lodges a procedural filibuster, the bill is tabled and the Senate moves on to other business. No dramatic and colorful endurance exercises on the floor. No pain at all, either for the Senator doing the filibustering or for his peers who should be listening to it. Perhaps they should feel some pain though. It might encourage them to actually address the underlying issues instead of adopting waiting games and back-room deals for votes. A little bit of pain and a lot of visibility might might put some skin back in the game. It might return the filibuster to the status it once held – an important and special legislative tactic to be used only when truly needed.

Either way, it remains an invaluable protection for the rights of the minority.

The Italian prosecutors felt that this was not fast enough and argued in court that Google had an affirmative responsibility for the content even though it was posted by others and even though Google does not exercise any control over the content. One self-appointed consumer advocate is proclaiming this a “victory for individual privacy over corporate interest”.

I am an avid privacy activist but I’m not buying it here for several reasons. First, it’s not possible to evaluate all the content that users are posting. About twenty hours of video content are posted to YouTube alone every minute. Add in all the other Web 2.0 sites and you’d need literally armies of people doing nothing but watching what other people are posting. Nobody could afford that. And even if you tried, that many people just couldn’t do the job without making mistakes. Second, there’s no easy way to tell inappropriate content (like real bullying) from certain types of performance art. That kind of stuff is not to my taste but other people … well, I won’t say they necessarily enjoy it, but they do it. And heaven help you if you censor their artistic content. Third, which set of standards will you apply? Granted, beating up a kid with Downs Syndrome is bad in pretty much every culture but there’s nothing philosophically different about this case and the Chinese suppression of political dissent. There is no way to draw the line about what is or is not acceptable.

Some commentators on this case have argued that other users added comments to the site that the video was inappropriate and that should have been enough to require Google to act. Again, I don’t buy it. User feedback and ratings can have a place but they are remarkably susceptible to abuse. False reports are rampant, either as pranks or as retribution for negative ratings on other users’ content. Remember that the Internet is an inherently pseudonymous environment. That is, even if you have to create a username to use a site, you can still create as many usernames as you want and they don’t necessarily have to have any connection to your real identity. If you want to tank a site or skew a vote, just create a thousand or so accounts (often called “sockpuppets”) and have them all paraphrase your original opinion. If you are careful to change your tone and word choice a bit, it’s very difficult to identify this kind of abuse.

It seems to me that the real culprits are the bullies who 1) abused the victim and then 2) posted the video. Google appears to have been a good corporate citizen, acting quickly and responsibly once notified of a problem by the proper authorities. Attempting to require Google or any other host to actively police ever bit of content on their site would kill the very idea of user-generated content. YouTube, Twitter, Facebook, MySpace, Wikipedia, … all would be run out of business by this social policy. And we would all be much poorer as a result.

I hope this case gets overturned on appeal. It’s hard to predict, though. European law is far less deferential to the idea of free speech than we are used to in the US. They also have not been very successful at grappling with the implications of applying local standards to global operations. If you expect others to kowtow to your local foibles, you have to be equally ready to defer to all of theirs – a standard that very few communities will tolerate in practice.

As a closing thought, I can’t help wondering if this court case was a smoke-screen. It is suspicious that this case comes right as Google is being sued by the state-run media companies for alleged tolerance of copyright violations on the same site. I feel for the kid who was being bullied but this smells to me more of political grandstanding and strong-arm negotiations than it does of a legitimate privacy case.

First, what is an add-on? (Other names include plug-in, extension and sometimes theme. More on that later.) An add-on is an optional software component that, in theory, increases the functionality and/or usability of the original program. Most people learn about add-ons in the context of their internet browser, especially if you are a Firefox user. Add-ons can improve your computer’s security (by blocking scripts and ads), make certain actions easier (like viewing pictures or updating webpages), improve compatibility with other programs such as Java or QuickTime or just customize the look and feel of the computer.

Add-ons can also be malicious trojan horses, bringing along all sorts of viruses and vulnerabilities to your computer. If you find an add-on you like – and there are some good ones out there – be sure that you get it from a reliable source. If you’re looking for add-ons to Mozilla’s Firefox, for example, go to Tools/Add-ons and look for the Browse all add-ons link. That will take you directly to the official Mozilla site. Internet Explorer has a similar path.

Some add-ons can be very helpful. I really like NoScript and AdBlock for Firefox. Between the two of them, they make my browsing much safer.

Many add-ons are neutral from a security point of view – they may make your browsing experience better but they neither help nor hurt your computer’s security.

Some are downright dangerous – add-ons that include some hidden code that lets the author control your computer or that otherwise subvert your security. Those tend to get filtered out of the legitimately sponsored sites pretty quickly but they are a real danger in chat rooms and unmoderated forums.

And an unfortunate number of add-ons are offered with a good heart but either badly written or just don’t take into account all the possible configurations that are out there – and when used in combination with some other add-on or program, they create new vulnerabilities that didn’t exist before. I put all the Google and Yahoo Toolbar add-ons in this category – well-intentioned but fundamentally unsafe.

Add-ons also tend to go out of support fairly quickly. They are often written by volunteers, after all. Microsoft has a financial incentive to keep programmers pounding away, patching their products. If a hacker finds a hole in an add-on, it may or may not get fixed quickly.

If you find an add-on you like, read the reviews to see what other users say about it. See if anyone has had concerns about unexpected interactions or problems. See if it’s been updated recently and find a legitimate download site. Then back everything up on your computer before you install it.

On the other hand, if your computer “spontaneously” offers to install an add-on, the right answer is almost invariably to reject it. If it looks like it might be useful, go to a legitimate site and read the reviews, then decide for yourself.

When an add-on is primarily designed to change the look and feel – background colors, fonts, logos, maybe even layout and organization of buttons – but not to change the underlying function of the program, that’s usually called a “theme”. There are literally thousands of themes available including ones for just about every sports franchise imaginable. They are commonly available not merely for your browser but also for your phone and for many other computer applications such as Media Player. Themes are usually safer to load since they are not supposed to affect the program but be careful. Something advertised as merely a theme can still include malicious code. And a badly written theme can cover up functions you do need, like say, the undo button – it’s still there but you can’t reach it because some other button is in the way. Like other add-ons discussed above, only consider themes from reputable sources. If you’re not sure, stick with the default theme.

• An email with the subject, “Information and resources to help you travel during the Vancouver 2010 Winter Games. TravelSmart 2010.htm” includes legitimate links but contains hidden code embedded in the email which can be used to drop almost anything on the victim’s computer.
• An email with the subject, “How to make Olympics more interesting”. In this case, the attack is buried in an attached presentation file and will attempt to install other malware on your computer.

Based on the reports so far, these scams appear targetted at specific people (an attack mode known as spearphishing). The rest of us may or may not ever see them but they are highly dangerous to the few people that do get targetted. Here are some ways to stay safe:

1. Buy from legitimate sites. This includes your Olympic tickets. Scalpers are already showing a disdain for the law. What makes you think they’ll respect your computer privacy? There are legitimate online fan-to-fan sites for reselling tickets (one such is Vancouver2010.com) but you have to do your homework to be sure it’s a reputable site.
2. If it sounds too good to be true, it probably is. We’ve said this many times before but greed remains one of the hackers’ best weapons. Be suspicious.
3. Be especially suspicious of links in emails or IM messages. Look up the legitimate site on google or type the address into your browser yourself.
4. Never fill out forms in messages. Legitimate companies will never ask for personal, financial or password information through an email message.

Enjoy the games – safely.

Each password has to be strong enough to protect the information behind it. Of course, knowing that we are all basically lazy (and that they will be held responsible if the account is hacked), the companies hosting these services require “strong” passwords – numbers, punctuation, no duplication, etc. And without universal standards, we end up with a hodge-podge of passwords that are impossible to keep straight.

One answer is a “password management” program, often built right into your web browser. These programs remember your logins and passwords for you and automatically fill them in as soon as you go to the page. There are several problems with them, though.

1. When your computer gets stolen, you lose all your passwords.
2. If the password manager gets hacked, you again lose everything all at once.
3. The passwords are only available while you’re working on that one computer. You’re out of luck if you need to check your account from your mother-in-law’s.
4. And, of course, these don’t do anything for the passwords you need to track that aren’t associated with web pages.

A perhaps-better answer is a single-signon service. In this model, you create one account with a widely accepted and trusted service who then authenticates you to the merchants. The Open ID Foundation is probably the best known, accepted by about 9 million websites including Google and Yahoo. This still leaves all your eggs in one basket but at least the basket is not in your easily-stealable laptop. On the other hand, if any one of those 9 million websites gets hacked, the thief might then be able to forge your credentials on the other sites. I’d trust their service for accounts I don’t care much about (google, email, shopping sites, etc) but not yet for my bank account.

Several academics are experimenting with using your cell phone as your password manager. It’s an interesting idea since we are so very attached to them. But we also lose them at an incredible rate. And if you think you get resistence about your computer passwords, try requiring a strong password on a phone.

Biometrics? There are some interesting new ideas about facial recognition using the builtin webcam of many modern laptops and others that track things like your typing patterns. None are ready for prime time yet.

All told, I think we’re still in a bad place. Passwords are the least unworkable answer we have today. Try to pick strong passwords, use a pattern that lets you modify a core password according to the site you’re visiting, change the important ones regularly and never, never, never share your password. If you must write them down, keep them in a dedicated and highly secure application like the old Blackberry password vault.

In the first story, a lovesick schmuck walked in the exit path and ducked under a rope at Newark Int’l Airport in order to give his significant other a hug before she got on her plane. The guard who should have prevented this was not at his post. TSA isn’t saying why. They are, however, trying to find the man who gave the hug and threatening criminal charges.

Admittedly, the breach resulted in a huge disruption not only of airtraffic at Newark but also cascading throughout the world as connecting flights were delayed. This was an expensive mistake. But it’s not the fault of the man who jumped the rope. The disruption is directly attirbutable to the pointless security theater practiced by the TSA. These threats to press charges are a transparent attempt to deflect attention from the fact that their security protocols are expensive, intrusive and, worst, inherently ineffective. It might be different if we were actually getting some increased security in exchange for our sacrificed civil liberties but this is just pointless.

The second story is an internal test gone wrong. Slovakian security experts were testing the effectiveness of the bomb-sniffing dogs. To make the test as realistic as possible, they snuck some high explosive into a passenger’s bags after check-in but before the bags went onto the plane. There was no detonator or other means to set it off, just the raw material. The dog successfully found the explosive but the handler apparently got distracted and forget to take it out before the bags were loaded. The mistake wasn’t found until the plane was in the air toward Ireland. They radioed the pilot, though, who decided that there was no risk (no detonator, remember?). They also notified the folks at Dublin Airport.

That didn’t stop the Irish security from arresting the innocent man whose bags were used in the test. He was later released (we hope with some kind of apology). The Irish government has focused not on their overreaction but on the “riskiness” of the test, calling it “unprecedented”. Realistic tests are not only accepted but are best practice. Do you really want to train your dog using only fake materials? How will you know whether she’s actually reacting to the right triggers? An explosive-sniffing dog that only reacts to Play-Doh (which looks and feels like C4 and might even smell like it to a human) won’t do any of us much good. Despite the Irish government’s spokesperson’s claims, tests with real materials are normal. Again, deflecting.

The third story is a domestic traveler who wanted to bring home some honey. Knowing that there are new restrictions, he called TSA who confirmed that honey, like other foodstuffs, can be checked in your baggage (though it may not currently be taken as carry-on). TSA claims that the plastic bottles of honey tested positive for TNT and TATP and that two of their screeners had to be “rushed to the hospital” after opening the bottles. Subsequent tests showed no explosives – the two screeners are now being described as “just nervous”. That didn’t stop TSA from yanking the victim off the plane and disrupting travel for hours. All of it pointless, though at least this time TSA is taking at least a little bit of ownership for their mistake.

NPR ran a report a few days ago talking about the inherent difficulties of looking for bombs instead of looking for terrorists. On any given flight, there are only about a hundred suspects. There are, however, literally tens of thousands of hiding locations for bombs. And new security protocols always address the last threat, never the next threat. Terrorists adapt. Their tactics are not static. Make us take off our shoes – the explosives go in the coffee cup. Ban all liquids – try the underwear.

Next up, carry the explosives in a body cavity. Actually, that’s not even novel – it’s already been used in an Al Qaeda’s assassination attempt against one of the Saudi princes. And all those fancy whole-body scanners can’t do a thing to stop it.

As a society, we keep hoping that by sacrificing “just this one more” bit of our personal dignity and liberty, we will finally be safe. That’s not and never will be true. The recent failures highlight not tactical failures in the implementation of our security but a wholesale failure in the underlying security strategy. It’s time to rewrite our approach from the ground up.

You are entitled to a free copy of your credit report (though not your credit score) every 12 months. Follow the instructions at www.annualcreditreport.com to request your credit report from each of the three major credit reporting agencies. (Stay away from the scam site that runs the goofy adds and has “free” in the domain name. They are anything but free.)

When reviewing the credit reports, look for:

• adverse actions on your accounts that might indicate that you have been a victim of identity theft
• accounts that have been opened in your name without your knowledge. Even if the identity thief is making the payments regularly, the account could still be in use for illegal activities.

If you find a discrepancy, follow the specific instructions on the website to dispute any incorrect information.

Some other suggestions:

• Don’t forget to check the credit reports of your immediate family members, especially minor children and dependent elders. Both of those groups are at elevated risk of identity theft.
• Remember that you are also eligible for a report every 12 months from any of the specialty agencies which have information about you.
• If you want more frequent feedback on your credit history, consider asking for your free copy from only one of the major credit reporting agencies at a time. Space the requests for the other two agencies out every four months. For example, you could ask for your free copy from Experian in March, your free copy from TransUnion in July and your free copy from Equifax in November. Once you start, you will have to keep the same rotating pattern. Schedule the requests on your calendar.

Note: Several people have asked my opinion of credit monitoring services. I do not consider them worth the money if you are taking the regular precaution of checking bank and credit card statements and are reviewing your credit report at least annually. They might be useful if you are a recent victim of identity theft or are in some other high-risk category but they’re overkill for most of us.

One resolution that we’ve talked about before is the need to make better, stronger passwords to keep your identity and your customers’ informations secure. Americans still have a nasty habit of picking passwords from the dictionary. When the system requires numbers or extra characters, we tend to add them to the end. Hackers know this and exploit the pattern when they build programs to break your password. Here are a few suggestions to make their lives harder (without making your passwords so impossible to remember that you write them down). None of these suggestions are new but hopefully this is a useful reminder.

1. Pick a pass phrase, not a password. A good hacker can test your password against every word in the dictionary in something under 30 sec. Testing every possible combination of 7 random characters takes not that much longer. A five word passphrase, on the other hand, can not be brute-forced using current computers in the time remaining in the life of the universe. And because of how our brains are wired, phrases are much easier to remember than strings of characters.
2. Make each password a unique variant using some personal rule about the site that you’re logging into. That way, you won’t lose everything just because the hacker cracks one site but you can still keep the number of things you must memorize to a minimum. Here is a link to one technique.
3. Never share your password. Not to your boss, your co-workers, your spouse, no one. Nobody should know your password except you. (The only exception I allow is that parents should insist on a copy of all passwords used by their underage children. Keep it safe, though.)
4. Make sure you’ve changed the default password on accessories like your router.
]]> http://rossander.org/infosec/2010/01/resolve-to-make-stronger-passwords-in-2010/feed/ 0 http://rossander.org/infosec/2009/12/oh-supreme-court-gets-one-right-on-privacy-australia-gets-one-wrong/ http://rossander.org/infosec/2009/12/oh-supreme-court-gets-one-right-on-privacy-australia-gets-one-wrong/#comments Wed, 16 Dec 2009 04:29:19 +0000 Mike Rossander http://rossander.org/infosec/?p=548 Two interesting privacy positions came out today, one from the Ohio Supreme Court and one from the Australian Ministry of Communication.

In the Ohio case, the Supreme Court ruled that the police need a warrant to search the contents of your phone. The case comes from a drug bust. From the available evidence, the guy was guilty as sin. Unfortunately, when the police arrested him, they confiscated and then, without either a warrant or his consent, searched the phone. The trial court allowed the evidence from the warrantless search citing a 2007 federal court decision that considered a cell phone similar to a “closed container”. (The closed container rule is what lets the police look in your pockets when they arrest you.) For physical items, the closed container rule makes some sense – you need to be sure your prisoner is not still in possession of something that could be used as a weapon. And if you happen to see other evidence while checking for physical threats, at least you had a reasonable justification to be looking.

Now, you could argue that a phone is an “information container”. The trial court did and an appeals court agreed. And so did three of the seven Ohio Supreme Court justices. But four of the justices were unable to make that stretch and I agree with them. A phone or a hard drive may be an information container but the information within it can’t be used as an immediate weapon to threaten the safety of the arresting officers. The justification for a warrantless search is missing. There is no immediacy. So does this mean we have to let drug dealers go free? No, it just means the police need to talk to a judge before they search the phone. They need a warrant, just like they do for almost all other searches. I think this ruling is in keeping with the privacy expectations of most of us.

There is one caveat in the Supreme Court’s ruling – they can search the content of your phone if they believe their safety is in danger. I am at a loss to think of a scenario where a phone would constitute a danger but expect some pretty specious arguments. Overall though, this was a clear win for privacy.

The story from Australia is a lot less promising. The Australian Communication Minister announced today that it will impose mandatory internet filtering to block “obscene and crime-related websites”. That content is already illegal from publication in Australia but they have no ability to control it when a citizen accesses the content from an overseas server.

If the filter is implemented, it would be the strictest among the world’s democracies. It would put Australia in the ranks with Burma, China, Iran, Syria and North Korea.¹ Unfortunately, the Minister has also already conceded that the filter will be ineffective, despite the success of a recent technological test. Much of the information that he proposes to block is available via peer-to-peer and chat sites, neither of which would be affected by the domain name-based filters which are being proposed. The filters also inevitably block some proportion of legitimate content. The result would be a sweeping grant of power to create a secret blacklist to little or no obvious gain. Electronic Frontiers Australia, a privacy rights group, has challenged the government’s plans, saying “We’re yet to hear a sensible explanation of what this policy is for, who it will help, and why it is worth spending so much taxpayers’ money on.”

In both these cases, it’s easy to empathize with the “tough on crime” position. Drug dealers are evil and obscenity is bad. But the erosion of privacy and other personal liberties is far worse, no matter how well-intentioned. I am heartened that the Ohio Supreme Court found the right decision even though it took an ugly case to bring it to light. I hope that the Australians find their way as well.

]]> http://rossander.org/infosec/2009/12/oh-supreme-court-gets-one-right-on-privacy-australia-gets-one-wrong/feed/ 0