spam

And we have safely arrived in the 21st century.

Dave Farquhar Servers and Networking, This weblog ,

It wasn’t the smoothest of transitions, but it went a whole lot better than it could have. I’ve moved the venerable Silicon Underground, with its nearly 1,800 posts spanning a little over a decade, to WordPress 3.0.1.

This blog’s been pretty stale for a long time. Some of that is due to the software. Some of it’s my fault. Blogging software has really advanced a lot in the last few years, and the software I’ve been using since 2004 was a bit behind the curve even then. In its defense, in 2004 nothing could do everything I wanted, and the system I chose was one of the few that required login and authentication, which I desperately needed in order to stop spam. But then registration broke, and I didn’t fix it, which meant only longtime readers could comment.

For commenting, we’re going back to username and e-mail address with optional URL, and with some spam analysis tools hopefully filtering out the spam. Users are moderated until their second comment, which will help take care of the trolls. Comments containing multiple hyperlinks automatically go to moderation. And comments will be closed after some period of time, probably 14 days. Discussions usually go downhill as time goes on.

Will I post more now that it’s easier? Probably.

Modern blogs can interact with one another; mine was always an island. Now I can trackback and pingback like everyone else, which will probably prove useful.

I’m sure I’ll be making changes for a while, but this is a big improvement.

I’d like to thank Steve D. and Rich P. (you know who you are) for their help with the migration. It only took me what, three years to go through with it? Four? And then it ended up taking about two hours of real work, if that, spread out over the course of a couple of weeks.

My standard security lecture

Dave Farquhar Windows , , , , , , , , ,

Myth: Nobody wants to get into my computer because I don’t have anything important saved on it.

Fact: I don’t care who you are or what you do with your computer, security is important. Do you want the Russian Mafia using your computer? The North Korean military? Al Qaeda?

If you’re OK with that kind of vermin using your computer, then do whatever you want. I hope you don’t have problems sleeping at night. If you don’t want that kind of vermin using your computer, I suggest you read on.Odds are, the next 9/11 isn’t going to involve airplanes or even bombs. It’s more likely to be a computer attack of some sort.

Modern computer viruses generally join infected computers together into large networks, which then “phone home” for orders. They can sit dormant for a long time, or they can start carrying out orders immediately. Those orders could be sending out spam e-mail messages. Or those orders could be to conduct an attack on some other computer, perhaps a bank, or perhaps a government or military operation.

Imagine Al Qaeda building a network of a few million computers, then using that network to overwhelm an important computer. When Amazon or eBay have a bad day and you can’t get to them, it’s possible they’re being attacked and struggling to cope with it.

The same approach that crashes Amazon.com could theoretically be used to crash the stock market or the Space Shuttle. Fortunately, that kind of trick is nearly impossible. But not completely.

Building the network is the easy part. Locating a target to point it at is the hard part.

The network already exists. There was a virus expected to trigger on April 1 of this year. It didn’t, for whatever reason. But everything isn’t OK. The network still exists, it’s still growing, and nobody’s figured out yet who built it, what they intend to do with it, and how to get in and disable it. Believe me, there are experts around the world trying to figure it out.

Whoever or whatever is behind it, you don’t want your computer unwittingly participating in it.

Here’s to avoid inadvertently aiding and abetting criminals and terrorists with sloppy computer security practices.

1. Use antivirus software and keep it up to date. Many Internet providers will give you antivirus software for free these days. Call your provider and ask. If not, download Microsoft Security Essentials.

2. Configure Automatic Updates. This allows Microsoft to fix security vulnerabilities in your computer as they’re discovered. Macintosh users, don’t get smug. You need to configure Apple update too–Apple releases a dozen or so fixes every month to fix security issues on Macs too.

3. Don’t open unexpected e-mail attachments. It’s been 12 years since this has been safe to do, but people do it anyway. STOP. NOW. I don’t care how funny the joke is, or how cute or hot or whatever the picture is.

4. Don’t open unexpected e-mail, for that matter. Booby-trapping an e-mail message with a virus isn’t especially difficult to do. Frankly, if any e-mail message looks suspicious (a subject line like HOT HORNY SINGLES WANT TO TALK TO YOU NOW! is usually a giveaway), I just delete it.

5. And if you ignore steps 3 and 4, for Pete’s sake, don’t buy anything. Nearly 10% of people actually buy something based on spam e-mail messages. That just encourages all of this other activity.

6. Use web-based e-mail. Most web-based providers use good spam and virus filtering, giving you an extra layer of protection.

7. Use an alternative web browser and e-mail program. Internet Explorer is literally a superhighway for viruses and other malicious software to hook directly into the operating system. Use Firefox, Chrome, or Opera.

Have I scared the living daylights out of you? Good. If your computer is beyond help, get a reputable IT professional to clean it up. Then start doing these things. If your computer is OK right now, start doing these things.

And then stop aiding and abetting criminals and terrorists.

In case anyone\’s wondering why I don\’t run an open forum anymore…

Dave Farquhar This weblog , , ,

I think David Pogue sums up what’s wrong with online etiquette pretty well.I know I got sick and tired of ducking rocks from anonymous know-it-alls. That irritated me as much as spam. My blog is a hobby. It brings in a little bit of money, but I’m not sure that the money covers the increase in my electric bill. I run my blog because I enjoy writing and because I’ve found a shortage of some types of useful information, so I tried to remedy that shortage when and where I could.

So I started requiring registration. In the process I pretty much ruined the blog, because I ditched b2 in favor of the software I’m using now. Of course, a few months after I made that change, b2 evolved into the lovely and wonderful WordPress, which now everyone and his brother is using.

Then Southwestern Bell started blocking SMTP traffic, preventing my software from sending out registration notices. There’s a workaround out there for that, but I still haven’t convinced myself, two years after I became aware of the problem, that it’s worth fixing. I’m sure I’m losing readership because people who want to be able to sign in and comment can’t, but I find I rather enjoy not having to deal with idiots. The dozen or so people who are left are nice people who say intelligent things.

Don’t get me wrong, I deal with some rude and poor-intentioned people at work. The rudest and most difficult, not coincidentally, are the people I’ve never seen but only spoken with over the phone and e-mail. But even they control what they say a little bit. There’s always the danger that we’ll run into each other someday, after all.

I remember about seven years ago when I wrote something that made the front page of Linux Today. It was a thrill. I even ended up exchanging e-mail with the president of Mandrake, and some suggestions I made for features found their way into later versions of that Linux distribution. Those were fun times.

What goes through my head when I realize that I’ll never make the front page of Digg?

One word: Good.

I still love to write, and I may have even figured out how to make enough money writing to make it worth my while to write regularly again. To be honest, right now I don’t have time to write regularly, but when it’s worthwhile, I can always find ways to make time.

Blogging fits into that equation, so I guess sometime between now and then, I’ll have to figure out some way to deal with the trolls.

Have you noticed your inbox is lighter lately?

Dave Farquhar Spam ,

The FBI nailed Alan Ralsky.

Ralsky’s reaction? “I’m not a spammer. I’m a commercial e-mailer.”

In other news, Marion Berry doesn’t go to strip bars. He goes to erotic clubs.Ralsky, if you’re not familiar with him, is one of the more prolific spammers in the world. And while some people sympathize with him since sending spam seems to be the only way he can make a living, the fact is that spam hurts everyone. It wastes your time–the lost productivity dealing with spam has been valued at anywhere from $9 to $22 billion–and it hurts your ISP too.

I know someone who administers mail servers for one of the largest cable companies in the United States. The upgrades to its mail servers cost six figures when they have to do it. This past week he described the situation with spam and worms as “SETI@Home in a DDoS attack against mail.ispname.net.”

If you want to know why broadband Internet access doesn’t cost $5 a month, you can blame people like Ralsky.

Defenders say Ralsky didn’t break any laws. But according to various anti-spam laws, you disguising the origins of your mail is illegal, and Ralsky has been guilty of this. To me, this rings of jailing Al Capone for tax evasion. Another question to ask is whether Ralsky has hawked pornography to underage children and whether he has ever hawked prescription drugs. If he had set up a table on a streetcorner and done either of those things, he would have landed himself in jail. If it’s illegal on the streetcorner, it ought to be illegal online. Especially because if he were doing it on the streetcorner, he’s only using a small parcel of public land. When he does it online, he’s utilizing thousands of computers that don’t belong to him.

I was glad when thousands of people signed Ralsky up for every junk-mail list they could find. It told a lot about his character when he remained defiant afterward. Filling his mailbox with junk was wrong, yet he saw nothing wrong with filling out e-mail boxes and he continued to do so.

Someone else will rise to take his place, but it will take time to learn his tactics, and in the meantime, anti-spam tools will get better.

The reason spam works is because somebody buys stuff from it. It might be one out of a thousand, or one out of a million, depending on who you believe. But it doesn’t take much more effort to blast out 3 million messages than it takes to blast out 3 thousand. It’s an attractive business because someone who’s unable or unwilling to do other work can get started with little or no expense, using equipment he or she probably already owns. It’s safer than, say, trying to sell stuff on Ebay. If I list a big pile of stuff on Ebay and it doesn’t sell, I owe listing fees–probably around 30 cents–on each item that doesn’t sell. Plus I’m stuck with that item and out whatever I paid to get it. But if I blast out a bunch of spam and nobody bites, I haven’t really lost anything, except maybe my ISP suspending or discontinuing my service.

The courts need to make an example of Alan Ralsky. Meanwhile, the FBI needs to go find a few of the other big fish in this pond and do the same.

Why small business is better than big business

Dave Farquhar Society , , ,

Technophilosopher Paul Graham (whose essay on Bayesian filtering spurred the development of one of the more popular methods for blocking spam) has some thoughts on what companies ought to learn from open source and blogging.

I really liked this quote: [Those who] run Windows on servers ought to be prepared to explain what they know about servers that Google and Yahoo don’t know. I know Google and Yahoo are a whole lot smarter than anyone I’ve worked for who runs on Windows.

But the most poignant bit for me was this: People work a lot harder on things they like.

I believe this is why successful small businesses are successful. Millionaire owners of small businesses often work very long hours–possibly 10 or even 14 hours a day. But many of them probably don’t realize they’re working those long hours because they enjoy it.

I’ve noticed this with my wife when I work with her. She doesn’t keep track of the hours she works because she doesn’t care. And at the end of my workday when I come home, we might spend most of the evening working, but at the end of the evening, we’re no more tired than we would have been if we’d spent the evening sitting on the couch watching TV.

As I watch the rise and fall of companies in the computer industry, I see this same pattern. Why can’t Microsoft sustain the growth of its early years? There are lots of reasons, but in the very early days when Bill Gates and Paul Allen actually spent time writing code alongside their employees, everyone worked excruciatingly long hours, but they did it out of choice. Microsoft is notorious for trying to force those kinds of hours out of its workers today (the book Microserfs details this in general). Could the reason every Microsoft operating system released in the last 15 years has been delayed be because they’re just a labor, rather than a labor of love?

I think that has a lot to do with it.

And I think this is the reason why I’m not a fan of big business and never have been. Don’t get me wrong; I’m no fan of big government or big labor either. Big anything is out of touch and can’t help but focus more on self-preservation than on the things it’s doing and why those things are interesting and important. I can’t necessarily tell you why any given thing is interesting or important but I can tell you without even seeing it that it isn’t because of the amount of money it can make.

Moral Dilemma

Dave Farquhar net.culture ,

I saw the following in one of my Backup Exec failure logs (directory names changed slightly to protect the client’s name, and me):

Directory F:\ITWEB\Flash Stuff\Welcome Page Animations was not found, or could not be accessed.
None of the files or subdirectories contained within will be backed up.

Hmm. Flash animations.I’m torn. My duty to the client who is paying me, of course, is to fix the problem so the file is backed up.

But they’re blinky, annoying Flash animations. Flash, of course, is the third worst thing to ever happen to the Internet, behind popups and spam. OK, it’s the fourth worst thing. I’ll put it behind spam. But I’ll even put it ahead of Microsoft Internet Exploiter.

So an opportunity to snuff out some blinky Flash animations that have been foisted on the world is a great temptation.

Or am I the only one who feels this way about Flash?

Incidentally, I turn off animated GIFs too–I find a Web without animated GIFs and Flash is a much more pleasant place. I don’t know if that makes me boring and extremist or what.

Why do people pay $35 for lists of paid survey sites?

Dave Farquhar Saving money , , ,

I’ve been seeing more and more advertisements for paid survey sites. And the promises keep getting more and more ridiculous.

I think it’s a scam. You can make a little bit of spending money filling out surveys, but don’t let anyone hoodwink you into thinking you’ll get rich. Look at it as a way to spend a couple of hours a week to make a little bit of extra money, and nothing more, and you stand to do OK.First of all, don’t pay your $35. The people who run those sites say you can make that money back immediately. The problem is, they don’t know that. So why should you part with $35 without knowing when you’ll recoup your investment?

I filled out my first paid survey in 1996 or 1997. The first survey I filled out must have been some early marketing research for Webvan, because I distinctly remember it asking me questions about online grocery shopping. I asnwered their questions, and a few weeks later a check for $12 appeared in my mailbox. Occasionally I got e-mail invitations to participate in another survey. I probably made about $50 from that research firm before it disappeared. That happens.

More recently, after seeing an ad for someone wanting my $35, I decided to see what I could find on my own. A Google search on “paid survey” turned up a few leads. I ended up joining a couple. They sent me a few surveys. Some of the surveys meet their quota within minutes of being sent out, so I’ve probably missed half my opportunities.

Here’s my advice on these things. Let people pay you for your opinions, but protect yourself. Get a free e-mail account from Yahoo, since it has decent spam protection, and use it for surveys exclusively. I’ve started getting a lot more spam since I signed up with these guys. I can’t say I’m surprised. I thought I opted out of all the mailings but it’s hard to know you checked all of the important boxes.

Shy away from people who offer you coupons or merchandise. Why should you work for frivolous things you probably don’t want or need? Stick with survey sites that offer cash. One site I signed up for pays in points, redeemable for cash. Problem is, when you convert it to cash, you get five cents per point, and you have to accumulate a minimum of 1,000 points before you can cash out. The last survey I got from them promised to take 30-45 minutes and pay 100 points. Considering I’d have to take 10 surveys before I saw a penny, and the effort was twice as much for half as much pay as some other sites pay, I wish I hadn’t bothered.

A lot of the sites require you to have a bunch of plug-ins installed, like Flash and Real. Most don’t seem to work with anything but Internet Explorer. If you want to do this a lot, it might not be a bad idea to dig the old Pentium-200 out of the closet and use it for your survey activity and only for your survey activity. That way if it gets infected with spyware, it won’t affect your good computer, and you’ll have a better idea where the problem came from.

The claims of making $200 an hour are very misleading. Most surveys that pay $20 take 20-30 minutes to fill out, especially if you answer honestly, which you should. Fill out three surveys and I guess you can say you make $60 an hour. But you’d have to be in an unbelievably desirable demographic to get more than a couple of surveys a day. While some sites promise occasional surveys that pay $100 or more, I have yet to see one. That doesn’t mean they don’t exist, but it suggests they aren’t common.

One site, Surveysavvy.com, allows you to refer friends, and they pay you a small commission based on your referrers’ work, allowing you to set up a two-level pyramid scheme. (Full disclosure: the link above is a referral to me.)

So, don’t expect to be able to quit your day job and get rich filling out online surveys. Don’t expect to be able to quit your job, period. If you’re in a reasonably desirable demographic, you might be able to pull in a thousand dollars or two a year filling out surveys. That could make a nice retirement nest egg, help you pay down some debt, or pay for a vacation.

That pretty much mirrors what an interviewee said in a recent news story I saw about secret shopping. He said he makes enough to go on vacation once a year, but he does have to work a little bit for it. He also said you should never pay anyone to be a secret shopper.

I won’t get rich, but if I end up making enough money to pay my accountant come tax time, I’ll be happy.

I’d actually consider running a screensaver

Dave Farquhar Spam ,

Lycos has released a screensaver that combats spam. It just tries to repeatedly download the web content of known spammers in hopes of driving up their bandwidth costs.

I am famously opposed to screen savers, but…

Read more

Things to look for in a wireless router

Dave Farquhar Servers and Networking , , , , , ,

It’s the time of year that a lot of people buy computer equipment, and wireless networking is one of the things people look for. But what things should be on the shopping list?

I was hoping you’d ask that question.Compatibility with what you already have, if possible. Routers are available that speak 802.11a, 802.11b, and 802.11g, or all three. If you already have some wireless equipment, look for something that can speak its language.

Cordless phone interference. 2.4 GHz cordless phones will interfere with 802.11b and 802.11g. 802.11a works at a different frequency, but it might be cheaper to replace your 2.4 GHz phone with a 900 MHz phone.

Speed. 802.11a and 802.11g operate at 54 Mbps, which is considerably nicer than 802.11b’s 11 Mbps, although both are much faster than current U.S. broadband connections, which tend to top out around 3 Mbps. If you move a lot of files around, you’ll appreciate the 54 Mbps speed. If your primary use of wireless is sharing an Internet connection and a printer or two, 802.11b is probably fast enough, and it’s usually cheaper, with the downside of shorter life expectancy.

802.11g is currently the most popular standard, because it gives 54 Mbps speed and offers compatibility with existing 802.11b equipment. Use this information as you will. If you’re of the security by obscurity mindset, 802.11a is a better choice, as a wardriver is more likely to be driving around with an 802.11b or 802.11g card. If you want to make sure your buddies can hook up when they come over, or you can hook up at your buddies’ places, 802.11g is the better choice.

Brand. Match the brands of router and cards, if at all possible. This makes configuration and security much simpler.

WPA. The encryption used by older standards is relatively weak. You want to enable 128-bit WEP (256-bit WEP is better but still not as good as WPA), change the SSID and disable SSID broadcast, and hard-code your MAC addresses so that only your cards can use your router. This protects you from someone driving around your neighborhood with a laptop and using your Internet connection to send out spam or transfer illicit material that can be traced back to you. Do you want the RIAA suing you because someone used your Internet connection to download 400 gigs’ worth of boy-band MP3s off Kazaa? Worse yet, if that happens, word might get out that you like that stuff.

WPA adds another layer of protection on top of these (which are standard issue by now). Rather than the security key being fixed, it’s dynamically generated from trillions of possibilities. Sufficient CPU power to crack WPA and either monitor your transmissions or use your access point might someday exist, but for now it gives the best protection available, so you should get it and use it. This USRobotics whitepaper on security ought to be a must-read.

Built-in firewall with port forwarding. This is a standard feature on all brand-name units and ought to be on the off brands as well, but it doesn’t hurt to double check. Hardware firewalls are far superior to software firewalls–they don’t annoy you with popups and they can’t be disabled by a malicious process. Port forwarding is necessary for a lot of games, and also if you want to run your own mail or web server.

Hackability. By this I don’t mean the ability of an outsider to get in, I mean your ability to add capability to it. The Linksys WRT54G is based on Linux, so it has a big following with an underground community adding capabilities to it all the time. If you want to take advantage of this, look for a WRT54G or another device with a similar following.

Spam that infects your computer

Dave Farquhar Spam , , ,

This really isn’t anything new–I’ve long suspected spam was using ActiveX controls to infect computers with spyware and other unpleasantries, but now a spam message that infects your computer when you opt out is gaining publicity.The usual advice applies. Turn off the preview pane in Outlook/Outlook Express, if you must use a Microsoft program at all to read mail.

Install a spam filter. I used POPFile. Outclass allows POPFile to work with Outlook, even in Exchange Corporate Workgroup environments.

Consider getting a Yahoo mail account, or, if you ever happen to get an invitation, a Gmail account. They filter your spam for you and do a pretty good job, in my experience.

If spam gets through, don’t even open it. Tell me, why would any legitimate e-mail have a subject line like “Drugs online no prior prescription needed?” Or “Gen.eric Vioxx, Gen.eric Am.bien, Gen.eric Paxil, and more?”

And of course, get an antivirus program and keep the virus definitions up to date. Newer antivirus programs are even starting to detect and eliminate spyware, finally.

One person told me he reads and responds to all spam, because if he didn’t, he wouldn’t get any e-mail. If you or someone you know reads spam out of loneliness, that’s curable too. Install a spam filter and then fill the void by going to Yahoo Groups and look for an active group on something that interests you. I think every single time I’ve gotten interested in something or someone’s asked me a question, I’ve found a Yahoo group that pertains to it. The person is almost guaranteed to learn something, and chances of making some new friends are pretty high.