Security

Andy Brice decided to test various download sites to see which ones would give awards (and expect a banner to be posted by the developer’s website with a link back) to a piece of “software” that consisted only of a text file named “awardmestars” containing the words “this program does nothing at all” repeated several times. He submitted it to 1033 sites, of which 218 sites listed it and 421 rejected it. Of those that accepted it, 11% gave it an award (he’s currently at 23 awards): The truth is that many download sites are just electronic dung heaps, using fake awards, dubious SEO and content misappropriated from PAD files in a pathetic attempt to make a few dollars from Google Adwords. Hopefully these bottom-feeders will be put out of business by the continually improving search engines, leaving only the better sites.He notes the following sites which wrote him to say to stop wasting their time, indicating that they actually check submissions: ...

It was only a matter of time. Where John Todd, Mike Warnke, “Lauren Stratford,” and others found that they could get attention and money by claiming to be ex-Satanists/witches/Illuminati converted to Christian evangelists, we now see “ex-Islamic terrorists” turned born-again Christians and hitting the lecture circuit, and getting paid for appearances at the U.S. Air Force Academy, as the New York Times reports. The Times article ends with the most obvious question: Arab-American civil rights organizations question why, at a time when the United States government has vigorously moved to jail or at least deport anyone with a known terrorist connection, the three men, if they are telling the truth, are allowed to circulate freely. A spokesman for the F.B.I. said there were no warrants for their arrest.Of the three speakers, Zak Anani, Kamal Saleem, and Walid Shoebat, Anani is described as the most explicitly preaching born-again Christianity rather than providing information about Islamic terrorism. He also seems to be the one with the clearest record of making false claims about his own background: Anani, now an evangelical Christian, claims to be an expert on the topic because he killed 223 people in Allah’s name, “two-thirds of them by daggers.” He even claims to have killed a man for waking him up at 3 a.m. to pray. Anani, born in Lebanon, said he joined a militant Muslim group in the early 1970s at age 13, and made his first kill shortly after. … He said he was soon promoted to troop leader and formed his own regiment, but later met a Christian missionary and converted. ...

The March 6, 2008 issue of The Economist features lots of interesting articles (it includes one of the quarterly technology reviews), one of which is “Feel safer now?" This is a report on a study by economists in Texas and Alabama commissioned by the Copenhagen Consensus, which looks at the effects of increased spending on counterterrorism efforts and “homeland security” globally since 2001, and the effects. They calculate that while such spending has increased by somewhere between $65 billion and $200 billion a year, the benefits are far smaller than the costs of terrorism, which were about $17 billion in 2005. While the spending may have prevented some incidents, even if this extra spending prevented 30 attacks like the July 2005 London bombings every year, it would still be more expensive than the damage from terrorism. The authors suggest that the benefits from increased counterterrorism spending have been about 5-8 cents per each dollar of spending, whereas if instead money was spent specifically on disrupting terrorist finances, $5-$15 of benefits could be obtained for each dollar spent.

The ACLU reports that the Terrorist Screening Center’s watch list reached 700,000 names in September 2007, and is adding 20,000 new names per month. “At that rate, our list will have a million names on it by July. If there were really that many terrorists running around, we’d all be dead." Names on the list include: Robert Johnson Alexandra Hay Evo Morales (president of Bolivia) Saddam Hussein (dead former dictator of Iraq) the 9/11 hijackers (all still dead) Gary Smith John Williams Edward Kennedy (Massachusetts Senator) John Lewis (U.S. Rep. from Georgia) Daniel Brown (U.S. soldier detained on way home from Iraq) James Moore (author of book critical of Bush administration) Catherine (“Cat”) Stevens (wife of Sen. Ted Stevens) Yusuf Islam (formerly known as Cat Stevens) Vernon Lewis (retired Major General, U.S. Army) Robert Campbell (U.S. Navy, retired) David Nelson John William Anderson Don Young (U.S. Rep. from Alaska) The whole idea of checking names for flight screening is nearly pointless, since terrorists are capable of getting fake ID. It’s absolutely idiotic to have extremely common names on the list and subject everyone who happens to have a common name to extra screening every time they fly. The right way to do screening is to use mechanisms like randomly subjecting people to extra screening and to have people undercover trained to identify suspicious behavior in the terminal–and to use multiple mechanisms that are randomly changed from day to day, so that security measures tested on one day will not be the exact measures in place on a later day. UPDATE (March 18, 2008): Note that the no-fly list is a subset of the terrorist watch list. The former is what I criticize in the last paragraph. An FBI audit has stated that the information the FBI supplies for the terrorist watch list is “outdated and inaccurate." ...

The Miami Herald has uncovered a new Homeland Security threat–and it’s U.S. Customs and Border Protection agents that are committing crimes. Bribery, drug trafficking, migrant smuggling, embezzlement, and other crimes have become so prevalent that a senior manager has issued a memo pointing out that agents are supposed to uphold, not break the law: U.S. Customs and Border Protection is supposed to stop these types of crimes. Instead, so many of its officers have been charged with committing those crimes themselves that their boss in Washington recently issued an alert about the ‘‘disturbing events’’ and the ``increase in the number of employee arrests.’’ ...

The March 10 Wall Street Journal contains a fairly detailed description of the data mining operation being run by the NSA. The program described is more data mining than eavesdropping, though it does involve the collection of transactional data like call detail records for telephone calls, and intercepted Internet data like web search terms and email senders and recipients. Also included is financial transaction data and airline data. I think most of this had already been pieced together, but this is a fairly comprehensive summary in one place. The WSJ story reports that leads generated from the data mining effort are then fed into the Terrorist Surveillance Program, which does warrantless eavesdropping. (An earlier version of this post incorrectly referred to the whole operation as the Terrorist Surveillance Program.) ...

Jeremy Jaynes, the spammer who was convicted and sentenced to nine years in prison in 2003 for violating Virginia’s anti-spam law, has lost his appeal before the Virginia Supreme Court in a 4-3 ruling. Several of the dissents claimed that Virginia’s anti-spam law, which criminalizes unsolicited bulk email with falsified headers, even if it is political or religious in content rather than commercial, is a violation of the First Amendment. The quotations from Justice Elizabeth Lacy and Jaynes’ attorney Thomas M. Wolf both state that the law has diminished everyone’s freedom by criminalizing “bulk anonymous email, even for the purpose of petitioning the government or promoting religion." Both Lacy and Wolf misrepresent the law, which makes it a crime to “Falsify or forge electronic mail transmission information or other routing information in any manner in connection with the transmission of unsolicited bulk electronic mail through or into the computer network of an electronic mail service provider or its subscribers." There is a difference between forging headers and sending anonymous email–the latter does not require the former, and the latter is not prohibited by the law. Jaynes wasn’t just trying to be anonymous–he was engaged in fraud, and falsifying message headers and from addresses to try to avoid the consequences of his criminality. He wasn’t using anonymous remailers to express a political or religious message, and if he had been, he wouldn’t have been able to be charged under this law. UPDATE (September 12, 2008): The Virginia Supreme Court has reversed itself and struck down Virginia’s anti-spam law as unconstitutional, on the grounds that prohibiting false routing information on emails infringes upon the right to anonymous political or religious speech. This is a very bad decision for the reasons I gave above. There are ways to engage in anonymous speech without doing what Jaynes did, falsifying message headers and domain names. The court’s argument that one must falsify headers, IP addresses, and domain names in order to be anonymous is factually incorrect. Anonymity doesn’t require header falsification, it only requires omission of identifying information.

As ZDNet reports, yesterday afternoon, in response to a government order to filter YouTube (AS 36561), Pakistan Telecom (AS 17557, pie.net.pk) announced a more-specific route (/24; YouTube announces a /23) for YouTube’s IP space, causing YouTube’s Internet traffic to go to Pakistan Telecom. YouTube then re-announced its own IP space in yet more-specific blocks (/25), which restored service to those willing to accept routing announcements for blocks that small. Then Pakistan Telecom’s upstream provider, PCCW (AS 3491), which had made the mistake of accepting the Pakistan Telecom /24 announcement for YouTube in the first place, shut off Pakistan Telecom completely, restoring YouTube service to the world minus Pakistan Telecom. They got what they wanted, but not quite in the manner they intended. Don’t mess with the Internet. Martin Brown gives more detail at the Renesys Blog, including a comment on how this incident shows that it’s still a bit too easy for a small ISP to disrupt service by hijacking IPs, intentionally or inadvertently. Danny McPherson makes the same point at the Arbor Networks blog, and also gives a good explanation of how the Pakistan Internet provider screwed up what they were trying to do. Somebody still needs to update the Wikipedia page on how Pakistan censors the Internet to cover this incident. UPDATE: BoingBoing reports that the video which prompted this censorship order was an excerpt from Dutch Member of Parliament Geert Wilders’ film “Forbidden” criticizing Islam, which was uploaded to YouTube back on January 28. I’ve added “religion” and “Islam” as labels on this post, accordingly. The two specific videos mentioned by Reporters without Borders as prompting the ban have been removed from YouTube, one due to “terms of use violation” and one “removed by user." The first of these two videos was supposedly the Geert Wilders one; the second was of voters describing election fraud during the February 18 Parliamentary elections in Pakistan. This blog suggests that the latter video was the real source of the attempted censorship gone awry, though the Pakistan media says it was the former. So perhaps the former was the pretext, and the latter was the political motivator. A “trailer” for Wilders’ film is on YouTube here. Wilders speaks about his film on YouTube here and here. Ayaan Hirsi Ali defends Wilders on Laura Ingraham’s show on Fox News here. (Contrary to the blog post I’ve linked to, Hirsi Ali was not in the Theo Van Gogh film “Submission Part One,” which can itself be found here, rather, she wrote it. Van Gogh was murdered as a result of it. The beginning and end is in Arabic with Dutch subtitles, but most of it is in English with Dutch subtitles.) UPDATE (February 26, 2008): This just in, from Reuters–Pakistan “might have been” the cause of the YouTube outage. Way to be on the ball with breaking news, Reuters! The Onion weighs in on the controversy!

On Friday, I attended the New Mexico InfraGard Member Alliance’s “$-Gard 2008” conference in Albuquerque. It was an excellent one-day conference that should be used as a model by other chapters. The conference was open to the public, and featured an informative and entertaining two-hour seminar on fraud and white collar crimes by Frank Abagnale, author of the autobiographical Catch Me If You Can and anti-fraud books The Art of the Steal and Stealing Your Identity. (Another version of Abagnale’s talk can be viewed as an online webinar courtesy of City National Bank.) Abagnale argued that fraud has become much easier today than it was when he was a criminal forger, with numerous examples, and also offered some simple and relatively inexpensive ways for businesses and individuals to protect themselves. For example, he recommended the use of microcut shredders, and observed that his own business keeps shredders near every printer, and no documents get thrown away, everything gets shredded. He recommended the use of a credit monitoring service like Privacy Guard, and that if you write checks, you use a black uniball 207 gel pen, which is resistant to check-washing chemicals. For businesses that accept cash, he recommended training employees in some of the security features of U.S. currency rather than relying on pH testing pens, which are essentially worthless at detecting counterfeit money. By recognizing where bills use optical variable ink, for example, you can easily test for its presence in the time it takes you to accept bills from a customer and transfer them into a cash register. He also recommended that businesses use bank Positive Pay services to avoid having business checks altered. ...

Gary D. Barnett, president of a financial services firm in Montana, has written an article about InfraGard for The Future of Freedom Foundation, apparently inspired by the Progressive article. Thankfully, he avoids the bogus “shoot to kill” claims, but he introduces some erroneous statements of his own. It’s apparent that he didn’t bother speaking to anyone in InfraGard or doing much research before writing his article, which is another attempt to spread fear, uncertainty, and doubt about the program. Barnett first goes wrong when he writes: ...