spam

My standard security lecture

Dave Farquhar Windows , , , , , , , , ,

Myth: Nobody wants to get into my computer because I don’t have anything important saved on it.

Fact: I don’t care who you are or what you do with your computer, security is important. Do you want the Russian Mafia using your computer? The North Korean military? Al Qaeda?

If you’re OK with that kind of vermin using your computer, then do whatever you want. I hope you don’t have problems sleeping at night. If you don’t want that kind of vermin using your computer, I suggest you read on.Odds are, the next 9/11 isn’t going to involve airplanes or even bombs. It’s more likely to be a computer attack of some sort.

Modern computer viruses generally join infected computers together into large networks, which then “phone home” for orders. They can sit dormant for a long time, or they can start carrying out orders immediately. Those orders could be sending out spam e-mail messages. Or those orders could be to conduct an attack on some other computer, perhaps a bank, or perhaps a government or military operation.

Imagine Al Qaeda building a network of a few million computers, then using that network to overwhelm an important computer. When Amazon or eBay have a bad day and you can’t get to them, it’s possible they’re being attacked and struggling to cope with it.

The same approach that crashes Amazon.com could theoretically be used to crash the stock market or the Space Shuttle. Fortunately, that kind of trick is nearly impossible. But not completely.

Building the network is the easy part. Locating a target to point it at is the hard part.

The network already exists. There was a virus expected to trigger on April 1 of this year. It didn’t, for whatever reason. But everything isn’t OK. The network still exists, it’s still growing, and nobody’s figured out yet who built it, what they intend to do with it, and how to get in and disable it. Believe me, there are experts around the world trying to figure it out.

Whoever or whatever is behind it, you don’t want your computer unwittingly participating in it.

Here’s to avoid inadvertently aiding and abetting criminals and terrorists with sloppy computer security practices.

1. Use antivirus software and keep it up to date. Many Internet providers will give you antivirus software for free these days. Call your provider and ask. If not, download Microsoft Security Essentials.

2. Configure Automatic Updates. This allows Microsoft to fix security vulnerabilities in your computer as they’re discovered. Macintosh users, don’t get smug. You need to configure Apple update too–Apple releases a dozen or so fixes every month to fix security issues on Macs too.

3. Don’t open unexpected e-mail attachments. It’s been 12 years since this has been safe to do, but people do it anyway. STOP. NOW. I don’t care how funny the joke is, or how cute or hot or whatever the picture is.

4. Don’t open unexpected e-mail, for that matter. Booby-trapping an e-mail message with a virus isn’t especially difficult to do. Frankly, if any e-mail message looks suspicious (a subject line like HOT HORNY SINGLES WANT TO TALK TO YOU NOW! is usually a giveaway), I just delete it.

5. And if you ignore steps 3 and 4, for Pete’s sake, don’t buy anything. Nearly 10% of people actually buy something based on spam e-mail messages. That just encourages all of this other activity.

6. Use web-based e-mail. Most web-based providers use good spam and virus filtering, giving you an extra layer of protection.

7. Use an alternative web browser and e-mail program. Internet Explorer is literally a superhighway for viruses and other malicious software to hook directly into the operating system. Use Firefox, Chrome, or Opera.

Have I scared the living daylights out of you? Good. If your computer is beyond help, get a reputable IT professional to clean it up. Then start doing these things. If your computer is OK right now, start doing these things.

And then stop aiding and abetting criminals and terrorists.

In case anyone\’s wondering why I don\’t run an open forum anymore…

Dave Farquhar This weblog , , ,

I think David Pogue sums up what’s wrong with online etiquette pretty well.I know I got sick and tired of ducking rocks from anonymous know-it-alls. That irritated me as much as spam. My blog is a hobby. It brings in a little bit of money, but I’m not sure that the money covers the increase in my electric bill. I run my blog because I enjoy writing and because I’ve found a shortage of some types of useful information, so I tried to remedy that shortage when and where I could.

So I started requiring registration. In the process I pretty much ruined the blog, because I ditched b2 in favor of the software I’m using now. Of course, a few months after I made that change, b2 evolved into the lovely and wonderful WordPress, which now everyone and his brother is using.

Then Southwestern Bell started blocking SMTP traffic, preventing my software from sending out registration notices. There’s a workaround out there for that, but I still haven’t convinced myself, two years after I became aware of the problem, that it’s worth fixing. I’m sure I’m losing readership because people who want to be able to sign in and comment can’t, but I find I rather enjoy not having to deal with idiots. The dozen or so people who are left are nice people who say intelligent things.

Don’t get me wrong, I deal with some rude and poor-intentioned people at work. The rudest and most difficult, not coincidentally, are the people I’ve never seen but only spoken with over the phone and e-mail. But even they control what they say a little bit. There’s always the danger that we’ll run into each other someday, after all.

I remember about seven years ago when I wrote something that made the front page of Linux Today. It was a thrill. I even ended up exchanging e-mail with the president of Mandrake, and some suggestions I made for features found their way into later versions of that Linux distribution. Those were fun times.

What goes through my head when I realize that I’ll never make the front page of Digg?

One word: Good.

I still love to write, and I may have even figured out how to make enough money writing to make it worth my while to write regularly again. To be honest, right now I don’t have time to write regularly, but when it’s worthwhile, I can always find ways to make time.

Blogging fits into that equation, so I guess sometime between now and then, I’ll have to figure out some way to deal with the trolls.

Have you noticed your inbox is lighter lately?

Dave Farquhar Spam ,

The FBI nailed Alan Ralsky.

Ralsky’s reaction? “I’m not a spammer. I’m a commercial e-mailer.”

In other news, Marion Berry doesn’t go to strip bars. He goes to erotic clubs.Ralsky, if you’re not familiar with him, is one of the more prolific spammers in the world. And while some people sympathize with him since sending spam seems to be the only way he can make a living, the fact is that spam hurts everyone. It wastes your time–the lost productivity dealing with spam has been valued at anywhere from $9 to $22 billion–and it hurts your ISP too.

I know someone who administers mail servers for one of the largest cable companies in the United States. The upgrades to its mail servers cost six figures when they have to do it. This past week he described the situation with spam and worms as “SETI@Home in a DDoS attack against mail.ispname.net.”

If you want to know why broadband Internet access doesn’t cost $5 a month, you can blame people like Ralsky.

Defenders say Ralsky didn’t break any laws. But according to various anti-spam laws, you disguising the origins of your mail is illegal, and Ralsky has been guilty of this. To me, this rings of jailing Al Capone for tax evasion. Another question to ask is whether Ralsky has hawked pornography to underage children and whether he has ever hawked prescription drugs. If he had set up a table on a streetcorner and done either of those things, he would have landed himself in jail. If it’s illegal on the streetcorner, it ought to be illegal online. Especially because if he were doing it on the streetcorner, he’s only using a small parcel of public land. When he does it online, he’s utilizing thousands of computers that don’t belong to him.

I was glad when thousands of people signed Ralsky up for every junk-mail list they could find. It told a lot about his character when he remained defiant afterward. Filling his mailbox with junk was wrong, yet he saw nothing wrong with filling out e-mail boxes and he continued to do so.

Someone else will rise to take his place, but it will take time to learn his tactics, and in the meantime, anti-spam tools will get better.

The reason spam works is because somebody buys stuff from it. It might be one out of a thousand, or one out of a million, depending on who you believe. But it doesn’t take much more effort to blast out 3 million messages than it takes to blast out 3 thousand. It’s an attractive business because someone who’s unable or unwilling to do other work can get started with little or no expense, using equipment he or she probably already owns. It’s safer than, say, trying to sell stuff on Ebay. If I list a big pile of stuff on Ebay and it doesn’t sell, I owe listing fees–probably around 30 cents–on each item that doesn’t sell. Plus I’m stuck with that item and out whatever I paid to get it. But if I blast out a bunch of spam and nobody bites, I haven’t really lost anything, except maybe my ISP suspending or discontinuing my service.

The courts need to make an example of Alan Ralsky. Meanwhile, the FBI needs to go find a few of the other big fish in this pond and do the same.

Why small business is better than big business

Dave Farquhar Society , , ,

Technophilosopher Paul Graham (whose essay on Bayesian filtering spurred the development of one of the more popular methods for blocking spam) has some thoughts on what companies ought to learn from open source and blogging.

I really liked this quote: [Those who] run Windows on servers ought to be prepared to explain what they know about servers that Google and Yahoo don’t know. I know Google and Yahoo are a whole lot smarter than anyone I’ve worked for who runs on Windows.

But the most poignant bit for me was this: People work a lot harder on things they like.

I believe this is why successful small businesses are successful. Millionaire owners of small businesses often work very long hours–possibly 10 or even 14 hours a day. But many of them probably don’t realize they’re working those long hours because they enjoy it.

I’ve noticed this with my wife when I work with her. She doesn’t keep track of the hours she works because she doesn’t care. And at the end of my workday when I come home, we might spend most of the evening working, but at the end of the evening, we’re no more tired than we would have been if we’d spent the evening sitting on the couch watching TV.

As I watch the rise and fall of companies in the computer industry, I see this same pattern. Why can’t Microsoft sustain the growth of its early years? There are lots of reasons, but in the very early days when Bill Gates and Paul Allen actually spent time writing code alongside their employees, everyone worked excruciatingly long hours, but they did it out of choice. Microsoft is notorious for trying to force those kinds of hours out of its workers today (the book Microserfs details this in general). Could the reason every Microsoft operating system released in the last 15 years has been delayed be because they’re just a labor, rather than a labor of love?

I think that has a lot to do with it.

And I think this is the reason why I’m not a fan of big business and never have been. Don’t get me wrong; I’m no fan of big government or big labor either. Big anything is out of touch and can’t help but focus more on self-preservation than on the things it’s doing and why those things are interesting and important. I can’t necessarily tell you why any given thing is interesting or important but I can tell you without even seeing it that it isn’t because of the amount of money it can make.

Moral Dilemma

Dave Farquhar net.culture ,

I saw the following in one of my Backup Exec failure logs (directory names changed slightly to protect the client’s name, and me):

Directory F:\ITWEB\Flash Stuff\Welcome Page Animations was not found, or could not be accessed.
None of the files or subdirectories contained within will be backed up.

Hmm. Flash animations.I’m torn. My duty to the client who is paying me, of course, is to fix the problem so the file is backed up.

But they’re blinky, annoying Flash animations. Flash, of course, is the third worst thing to ever happen to the Internet, behind popups and spam. OK, it’s the fourth worst thing. I’ll put it behind spam. But I’ll even put it ahead of Microsoft Internet Exploiter.

So an opportunity to snuff out some blinky Flash animations that have been foisted on the world is a great temptation.

Or am I the only one who feels this way about Flash?

Incidentally, I turn off animated GIFs too–I find a Web without animated GIFs and Flash is a much more pleasant place. I don’t know if that makes me boring and extremist or what.

Why do people pay $35 for lists of paid survey sites?

Dave Farquhar Saving money , , ,

I’ve been seeing more and more advertisements for paid survey sites. And the promises keep getting more and more ridiculous.

I think it’s a scam. You can make a little bit of spending money filling out surveys, but don’t let anyone hoodwink you into thinking you’ll get rich. Look at it as a way to spend a couple of hours a week to make a little bit of extra money, and nothing more, and you stand to do OK.

Read more

I’d actually consider running a screensaver

Dave Farquhar Spam ,

Lycos has released a screensaver that combats spam. It just tries to repeatedly download the web content of known spammers in hopes of driving up their bandwidth costs.

I am famously opposed to screen savers, but…

Read more

Things to look for in a wireless router

Dave Farquhar Servers and Networking , , , , , ,

It’s the time of year that a lot of people buy computer equipment, and wireless networking is one of the things people look for. But what things should be on the shopping list?

I was hoping you’d ask that question.Compatibility with what you already have, if possible. Routers are available that speak 802.11a, 802.11b, and 802.11g, or all three. If you already have some wireless equipment, look for something that can speak its language.

Cordless phone interference. 2.4 GHz cordless phones will interfere with 802.11b and 802.11g. 802.11a works at a different frequency, but it might be cheaper to replace your 2.4 GHz phone with a 900 MHz phone.

Speed. 802.11a and 802.11g operate at 54 Mbps, which is considerably nicer than 802.11b’s 11 Mbps, although both are much faster than current U.S. broadband connections, which tend to top out around 3 Mbps. If you move a lot of files around, you’ll appreciate the 54 Mbps speed. If your primary use of wireless is sharing an Internet connection and a printer or two, 802.11b is probably fast enough, and it’s usually cheaper, with the downside of shorter life expectancy.

802.11g is currently the most popular standard, because it gives 54 Mbps speed and offers compatibility with existing 802.11b equipment. Use this information as you will. If you’re of the security by obscurity mindset, 802.11a is a better choice, as a wardriver is more likely to be driving around with an 802.11b or 802.11g card. If you want to make sure your buddies can hook up when they come over, or you can hook up at your buddies’ places, 802.11g is the better choice.

Brand. Match the brands of router and cards, if at all possible. This makes configuration and security much simpler.

WPA. The encryption used by older standards is relatively weak. You want to enable 128-bit WEP (256-bit WEP is better but still not as good as WPA), change the SSID and disable SSID broadcast, and hard-code your MAC addresses so that only your cards can use your router. This protects you from someone driving around your neighborhood with a laptop and using your Internet connection to send out spam or transfer illicit material that can be traced back to you. Do you want the RIAA suing you because someone used your Internet connection to download 400 gigs’ worth of boy-band MP3s off Kazaa? Worse yet, if that happens, word might get out that you like that stuff.

WPA adds another layer of protection on top of these (which are standard issue by now). Rather than the security key being fixed, it’s dynamically generated from trillions of possibilities. Sufficient CPU power to crack WPA and either monitor your transmissions or use your access point might someday exist, but for now it gives the best protection available, so you should get it and use it. This USRobotics whitepaper on security ought to be a must-read.

Built-in firewall with port forwarding. This is a standard feature on all brand-name units and ought to be on the off brands as well, but it doesn’t hurt to double check. Hardware firewalls are far superior to software firewalls–they don’t annoy you with popups and they can’t be disabled by a malicious process. Port forwarding is necessary for a lot of games, and also if you want to run your own mail or web server.

Hackability. By this I don’t mean the ability of an outsider to get in, I mean your ability to add capability to it. The Linksys WRT54G is based on Linux, so it has a big following with an underground community adding capabilities to it all the time. If you want to take advantage of this, look for a WRT54G or another device with a similar following.

Spam that infects your computer

Dave Farquhar Spam , , ,

This really isn’t anything new–I’ve long suspected spam was using ActiveX controls to infect computers with spyware and other unpleasantries, but now a spam message that infects your computer when you opt out is gaining publicity.The usual advice applies. Turn off the preview pane in Outlook/Outlook Express, if you must use a Microsoft program at all to read mail.

Install a spam filter. I used POPFile. Outclass allows POPFile to work with Outlook, even in Exchange Corporate Workgroup environments.

Consider getting a Yahoo mail account, or, if you ever happen to get an invitation, a Gmail account. They filter your spam for you and do a pretty good job, in my experience.

If spam gets through, don’t even open it. Tell me, why would any legitimate e-mail have a subject line like “Drugs online no prior prescription needed?” Or “Gen.eric Vioxx, Gen.eric Am.bien, Gen.eric Paxil, and more?”

And of course, get an antivirus program and keep the virus definitions up to date. Newer antivirus programs are even starting to detect and eliminate spyware, finally.

One person told me he reads and responds to all spam, because if he didn’t, he wouldn’t get any e-mail. If you or someone you know reads spam out of loneliness, that’s curable too. Install a spam filter and then fill the void by going to Yahoo Groups and look for an active group on something that interests you. I think every single time I’ve gotten interested in something or someone’s asked me a question, I’ve found a Yahoo group that pertains to it. The person is almost guaranteed to learn something, and chances of making some new friends are pretty high.

Bounty-hunting spammers

Dave Farquhar Spam , , ,

I missed posting a reference to the FTC bounty on spammers this week.

The FTC says a bounty is about the only thing that will work. In other news, the Pope is still Catholic.You can make spam illegal all you want, but the problem is tracking the people down. They’ve had years to practice concealing their origins. If you and I can’t track them down, then chances are law enforcement can’t track them down all that easily either.

Without inside information, you won’t track them down, at least not without going 1984 on everybody. And if there’s one thing that makes people scream louder than spam, it’s encroaching on their rights, whether those rights are perceived or real.

But the people with inside information don’t have much incentive to turn spammers in.

The question is where the funding comes from. Hopefully the fines levied against the lawbreakers will be enough to pay the whistleblowers. To me, it’s a very legitimate use of the money.

Of course, the direct marketing people are screaming and hollering that too much power is going to anti-spam groups. They would have less problem if they had taken a strong stand against spam in the first place.

I don’t think they’ll get much sympathy. At least I hope not. A few local business owners made headlines when they ignored Missouri’s Don’t-Call list and then were sued out of business. I didn’t have any sympathy for them. They knew the law was coming and what they had to do in order to comply. Besides, if I need my windshield fixed, do you think I’m going to wait for a telemarketer to call me in the middle of dinner?

Additionally, many of these spammers are breaking other laws as well. Since when is it legal to sell me Valium without a prescription? And if bigoea@yahoo.com is a licensed pharmacist, why is he resorting to spamming people at random to get customers? If you know of a pharmacy that’s hurting for business, I’d sure like to know about it because I’ll go there and so will everyone else I know who’s tired of waiting 30 minutes to get a prescription.

More than likely, the person hiding behind theat Yahoo address is either misrepresenting what he’s selling (fraud) or selling prescription drugs without a license (drug trafficking), and he may very well be guilty of breaking numerous other laws and needs to be put away anyway.

Tell me again why direct marketers haven’t done everything they possibly can to distance themselves from these people?

Giving the insider who turns the spammer in enough money to take a year (or five, depending on lifestyle) off work seems the best way to eliminate some of these lowlives who continue to clog our inboxes and our Internet connections.