Skip to content

Category: Uncategorized

laugh and you’re dead

Published March 14, 2003

Humour:Guardian: The joke's on Saddam: In northern Iraq, they're laughing at Saddam Hussein. Luke Harding meets two comedians who have dared to cock a snook at the ruthless dictator - and annoyed him so much that he ordered their assassination.

The film was screened on Kurdish television; and after decades of official repression, it was a huge hit. Saddam's vigilant agents dispatched a CD copy to Baghdad. The Iraqi president was not amused. His response, when it came, was predictable: he sent several assassins to northern Iraq to kill the entire cast. 'Fortunately the guys were all arrested (by the Kurdish authorities),' Hassan recalls. 'They were found carrying a list. All our names were on it.'

With your fetlocks flowing in the… wind

Published March 14, 2003

Life imitates Father Ted. It seems the Irish Eurovision entry sounds very similar to the Danish entry from 2000, which, if true, is almost exactly the subject of a classic episode of cult comedy TV show Father Ted, My Lovely Horse.

Dougal: 'So we wouldn't be stealing the song then?' Ted: 'No, it'd be more like we were keeping their memory alive.' Dougal: 'So if we won we could give the prize money to their relatives?' Ted: 'Yeah, we'll play that by ear.'

The full low-down on the episode is here. Classic...

Anyway, I'm now in sunny SoCal, set up with more bandwidth than I've had in over a year. In fact, I'm swimming in bandwidth. Plus a decent pair of speakers for the ol' MP3 collection, at last (my last set are in storage and have been for 3 months)... happy happy joy joy.

Myself and my cat had a 16-hour flight, and somehow or other, he seems satisfied. Well, I suppose as long as the catfood and lots of petting is forthcoming, life is grass for this fella. Easily satisfied!

Date: Tue, 11 Mar 2003 17:09:01 +0000
From: Joe McNally (spam-protected)
To: Yahoogroups Forteana (spam-protected)
Subject: My Lovely Horse

http://www.irishnews.com/access/daily/current.asp?SID=428546

Real life repeat of Father Ted feared

By Staff reporter

IRELAND'S Eurovision hope Mickey Joe Harte has rubbished claims that his song bears a close resemblance to Denmark's winning entry of 2000.

Eurovision fans were complaining of deja vu yesterday when listening to We've Got the World, which will be sung by the Lifford father-of-two. The song - written by Mark Brannigan and Keith Molloy

  • is said to sound eerily like Fly on the Wings of Love, sung by the

Danish Olsen Brothers three years ago.

Mickey Joe last night said he 'honestly couldn't see the similarity', but added that the first line of the chorus could be said to resemble the Danish entry.

Phil Coulter, one of the judges who watched thousands of young hopefuls perform in RTE's You're a Star talent show - which Mickey Joe won on Sunday night - also insisted any similarity between the two songs was purely coincidental.

But RTE's Joe Duffy radio programme was inundated with calls from listeners who were terrified that Ireland was setting itself up for a Father Ted-like fiasco.

Listener Frank O'Reilly told Duffy that his daughter Claire, a Eurovision fanatic, spotted the similarity immediately and revealed that the words of one song could be sung over the melody of the second.

A second listener, called Margaret, also said she and her children had started singing the Danish song in their sitting room on the first night they heard We've Got the World.

Ironically, an episode of the hit Channel 4 comedy Father Ted featured the title character, played by Dermot Morgan, and his sidekick Fr Dougal, bidding for Eurovision glory with a 'borrowed' song from another Scandinavian country in a previous year.

Phil Coulter admitted that the Irish song was reminiscent of the Olsen ditty, but insisted there 'was nothing intrinsically original' about the Danish song.

'There is no question that there is going to be any kind of objection and there is no question that any objection would be upheld,' he added. -- Joe McNally :: Flaneur at Large :: http://www.flaneur.org.uk

More on SCO v IBM

Published March 8, 2003

LWN on the case. An excellent commentary, and features this lovely user-posted comment as well:

'Without access to such equipment, facilities, sophisticated methods, concepts and coordinated know-how, it would be difficult or impossible for the Linux development community to create a grade of Linux adequate for enterprise use.'

Alan Cox wrote the first SMP version of Linux. Do you know who bought Alan the hardware? It was Caldera :-)

Not IBM, after all, but Caldera -- who are now part of the SCO group. This usenet posting from 1995 backs that up, as does the Caldera-badged Linux SMP page.

‘Prestigious Non-Accredited Degree’ sites shut down

Published March 7, 2003

The BBC reports that trading standards officials from the UK and US have successfully shut down an Israeli/Romanian/US-based fake-degree spam operation. Or maybe they've just shut down 3 websites, which is all I can see in that report -- that's not going to make a whole lot of difference, so let's hope not.

Date: Fri, 07 Mar 2003 14:09:32 +0000
From: "Tim Chapman" (spam-protected)
To: forteana (spam-protected)
Subject: Bogus degree sites shut down

http://news.bbc.co.uk/1/hi/education/2829237.stm

Last Updated:  Friday, 7 March, 2003, 12:19 GMT Bogus degree sites shut down

Several websites offering fake British degrees for up to £1,000 each have been closed down following a joint operation in the UK and US.

The certificates, from 14 made-up institutions, were used by hundreds of unqualified people, mainly in North America, to gain jobs in areas such as teaching, computing and childcare.

The operation, which employed 30 staff in Romania, targeted millions of people every day with circular e-mails.

Trading standards officers in Enfield, north London, worked with their US counterparts for four years before the US District Court ordered the closure of the sites.

Investigator Tony Allen said: "It was a difficult operation to crack. The problem was that the people sending out the e-mails weren't conning anyone.

'Worrying'

"Those people who bought the degrees knew exactly what they were doing. The complaints we received were actually from colleagues of those who got jobs by lying.

"It's worrying that they got into such important and responsible positions using the fake degrees."

Among the institutions created for the websites were the University of Palmers Green, the University of Wexford and Harrington University. The operation, run by a man and a woman, both Israeli, was based at offices in Israel, Romania and the US. It is thought to have made millions of pounds.

The bogus institutions used a drop box in Green Lanes, London, as a postal address.

Under the Education Reform Act of 1988 it is an offence to supply a degree unless approved to do so by the Education Secretary.

Higher education minister Margaret Hodge said: "Many overseas organisations use the UK's name and higher education reputation to offer their own 'degrees' over the internet, so I welcome this action to clamp down on such operations.

"This demonstrates that action can be taken with the use of international co-operation. I take this matter very seriously.''

SCO sues IBM over Linux

Published March 7, 2003

SCO sues IBM (via Slashdot) . Talk about self-immolation: sue IBM, of all companies, with an intellectual property case. One SCO claim:

'It is not possible for Linux to rapidly reach Unix performance standards for complete enterprise functionality without the misappropriation of Unix code.'

Apart from the fact that SMP is just not a state-of-the-art thing any more; things move on! Perhaps if SCO/Novell/USL hadn't sat on their hands for 10 years, swapping IP and suing BSDI, they'd still be in the game. Anyway, here's what the analysts think:

'It's a fairly end-of-life move for the stockholders and managers of that company,' said Jonathan Eunice, an Illuminata analyst. 'Really what beat SCO is not any problem with what IBM did; it's what the market decided. This is a way of salvaging value out of the SCO franchise they can't get by winning in the marketplace.'

He said it.

Cough Cheat Millionaire transcript

Published March 6, 2003

The transcript of the "Who Wants To Be A Millionaire" episode at the centre of a current UK court case; the producers claim that the contestant cheated, with the aid of a coughing accomplice. Going by this transcript, it's an open-and-shut case IMO.

Date: Thu, 06 Mar 2003 09:56:42 +0000
From: Tom Farrell (spam-protected)
To: (spam-protected)
Subject: cough cheat millionaire transcript

The major answered the first three questions, but got into difficulty on question six, using the "ask the audience" lifeline when confronted with a question about Coronation Street. He struggled on the next question about the location of the river Foyle and phoned a friend.

As the questions became harder, Major Ingram often appeared unsure and wrestled out loud with several options, often going for a different answer from the one he initially appeared to choose.

Mr Hilliard said there was "a bit of an attempt to make it look like a sweat, some furrowing of the brow ... complete changes of mind coincide with the coughs; if you look at the whole picture, that's what's going on."

Major Ingram struggled on question eight, when he was asked who Jacqueline Kennedy's second husband had been. On two occasions, when he said the correct answer - Aristotle Onassis - out loud, a cough was heard, which the prosecution claims came from Mr Whittock.

For £125,000, Major Ingram was asked about the Holbein painting the Ambassadors.

Major Ingram: "I think I'm going to go for Holbein."

A cough is heard. Major Ingram says this is his final answer, and is told he is right.

During the next question there was a series of coughs as Major Ingram struggled with the question.

Tarrant asked: "What kind of garment is an Anthony Eden? An overcoat, hat, shoe, tie?"

Major Ingram: "I think it is a hat."

Cough.

Major Ingram: "Again I'm not sure. I think it is..."

Coughing.

Major Ingram: "I am sure it is a hat. Am I sure?"

Cough.

Major Ingram: "Yes, hat, it's a hat."

To cheers, Tarrant told him it was the right answer. Then for the £500,000 question, he was asked: "Baron Haussmann is best known for his planning of which city? Rome, Paris, Berlin, Athens."

Major Ingram: "I think it is Berlin. I think Haussmann is a more German name than Italian or Parisian or Athens. I am really not sure. I'm never sure. If I was at home, I would be saying Berlin if I was watching this on TV."

A loud cough was then heard, and the prosecution claim that Mr Whittock resorted to the "desperate measure" of saying the word "no" under cover of a cough.

Major Ingram: "I do not think it's Paris."

Cough.

Major Ingram: "I do not think it's Athens, I am sure it is not Rome. I would have thought it's Berlin but there's a chance it is Paris but I am not sure. Think, think, think! I know I have read this, I think it is Berlin, it could be Paris. I think it is Paris."

Cough.

Major Ingram: "Yes, I am going to play."

Tarrant: "Hang on, where are we?"

Major Ingram: "I am just talking to myself. It is either Berlin or Paris. I think it is Paris."

Cough.

Major Ingram: "I am going to play Paris."

Tarrant: "You were convinced it was Berlin."

Major Ingram: "I know. I think it's Paris."

Tarrant: "He thought it was Berlin, Berlin, Berlin. You changed your answer
to Paris. That brought you £500,000. What a man! What a man. Quite an amazing man."

Then came the £1m pound question: "A number one followed by 100 zeros is known by what name? A googol, a megatron, a gigabit or a nanomole?"

Major Ingram: "I am not sure."

Tarrant: "Charles, you've not been sure since question number two."

Major Ingram: "The doubt is multiplied. I think it is nanomole but it could be a gigabit, but I am not sure. I do not think I can do this one. I do not think it is a megatron. I do not think I have heard of a googol."

Cough.

Major Ingram: "Googol, googol, googol. By a process of elimination I have to think it's a googol but I do not know what a googol is. I do not think it's a gigabit, nanomole, and I do not think it's a megatron. I really do think it's a googol."

Tarrant: "But you think it's a nanomole. You have never heard of a googol."

Major Ingram: "It has to be a googol."

Tarrant: "It's also the only chance you will have to lose £468,000. You are
going for the one you have never heard of."

Major Ingram: "I do not mind taking the odd risk now and again. My strategy has been direct so far - take it by the bit and go for it. I've been very positive, I think. I do not think it's a gigabit, I do not think it's a nanomole or megatron. I am sure it's a googol."

Cough.

Major Ingram: "Surely, surely."

Tarrant: "You lose £468,000 if you are wrong."

Major Ingram: "No, it's a googol. God, is it a googol? Yes, it's a googol. Yes, yes, it's a googol."

Cough.

Major Ingram: "I am going to play googol."

After a break, Tarrant said: "He initially went for nanomole, he then went through the various options again. He then went for googol because he had never heard of it and he had heard of the other three. You've just won £1m."

Who the fuck is Amanda Perez?

Published March 6, 2003

and why is she spamming me?

From: "Amanda Perez" amandaperez@virginrecords.com To: 20021202123631.31AB416F1F@jmason.org

Let's send Amanda Perez and her new video 'Angel' to the top of MTV's Total Request Live!

I don't think so. How's about reporting her to SpamCop instead?

Wow, Virgin Records, you are in so much trouble; spamming me with this crap, using a scraped address -- in fact, not even a valid address; it's a Message-Id! That address has never existed to receive mail. Out and out spamming. Unbelievable.

Update: actually, it's probably nothing to do with Virgin, on reflection; nothing in the headers indicates anything apart from a dialup PacBell customer. So, Virgin Records, sorry for all the shouting ;) 

Return-path: (spam-protected)
Delivered-to: (spam-protected)
Received: from localhost (jalapeno [127.0.0.1])
by jmason.org (Postfix) with ESMTP id 4FC7816F17
for (spam-protected) Thu,  6 Mar 2003 11:10:38 +0000 (GMT)
Received: from jalapeno [127.0.0.1]
by localhost with IMAP (fetchmail-5.9.0)
for (spam-protected) (single-drop); Thu, 06 Mar 2003 11:10:38 +0000 (GMT)
Received: from pavillion (adsl-63-202-108-251.dsl.lsan03.pacbell.net
[63.202.108.251]) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id
h268Nin26527 for (spam-protected) Thu,
6 Mar 2003 08:23:44 GMT
Message-id: (spam-protected)
Mime-version: 1.0
Content-type: text/plain; charset=''iso-8859-1''
Content-transfer-encoding: 7bit
X-spam-status: No, hits=-5.7 required=5.0
tests=AWL,BAYES_01,CLICK_BELOW,MSG_ID_ADDED_BY_MTA_3,
RCVD_IN_BL_SPAMCOP_NET,T_BLANK_LINE_RATIO_01_40_50,
T_BLANK_LINE_RATIO_04_40_50,T_BLANK_LINE_RATIO_08_40_50,
T_BLANK_LINE_RATIO_20_00_02
version=2.60-cvs
X-spam-level: 
X-spam-checker-version: SpamAssassin 2.60-cvs (1.178-2003-03-03-exp)
Subject: They put me on MTV!
From: ''Amanda Perez'' (spam-protected)
Date: Thu, 06 Mar 2003 00:32:25 -0800 (08:32 GMT)
To: (spam-protected)
Let's send Amanda Perez and her new video ''Angel'' to the top of MTV's Total Request 
Live!
Thanks for helping Amanda get to the top, please try to vote before the week 
is out, and you can see the results on MTV's TRL.
Just click on the link below or paste it into your browser's Address window and 
hit enter to vote for Amanda's video at MTV.com.
http://www.mtv.com/onair/trl/votevideo.jhtml

very nasty new sendmail vulnerability

Published March 3, 2003

Remote Sendmail Header Processing Vulnerability.

Attackers may remotely exploit this vulnerability to gain 'root' or superuser control of any vulnerable Sendmail server. Sendmail and all other email servers are typically exposed to the Internet in order to send and receive Internet email. Vulnerable Sendmail servers will not be protected by legacy security devices such as firewalls and/or packet filters. This vulnerability is especially dangerous because the exploit can be delivered within an email message and the attacker doesn't need any specific knowledge of the target to launch a successful attack.

Sendmail versions from 5.79 to 8.12.7 are vulnerable.

Protection mechanisms such as implementation of a non-executable stack do not offer any protection from exploitation of this vulnerability. Successful exploitation of this vulnerability does not generate any log entries.

Great...

Recent history of the written word, with William Gibson

Published March 3, 2003

William Gibson, talking about why he uses all-caps book titles, gives a short history lesson regarding the rendering of book titles, back in the age of the mimeograph:

Much of my earliest typewriting experience had to do with mimeography, a pre-thermocopy form of reproduction once fairly universal in the world's offices. You typed, once, on a waxed paper 'stencil', clipped this over a silkscreen device with a moving pad or drum of ink behind it, and your mimeograph ran off (or silkscreened, really) as many copies of your document as you required. Owing to the physical peculiarities of the medium, though, it was unwise to underline too frequently on a mimeograph stencil: the single unbroken line was particularly prone to tear, producing leaks and smudging.

People who liked books, and frequently wrote letters, on typewriters, to other people who liked books, tended, free from the constraints of an academic stylesheet, to render titles in all-caps. People who wrote about books for publication in amateur journals (mimeo was an authentic medium of the American samisdat) rendered titles in all-caps in order to avoid stencil-tears. At various times, I was both.

It's such a pleasure having this kind of stuff to read every day!

Returnadores

Published March 1, 2003

Returnadores: a New Life in the Old World. 'Imported from Argentina to help save the village from a decades-long decline in population which threatened its very future, the Paez family has travelled backwards along the path of the first conquistadores and the generations of Spanish emigrants who followed them.'

Random Word of BIG LETTERS

Published March 1, 2003

Leonard notes the 'Random word of mixed symbols with length 1 to 27' type spammer obfuscation, suggesting it's 'open source spam'; I reckon it's more 'literate programming spam', in that it's self-documenting. But it certainly is very wierd. Maybe some spamtool developer has a COBOL fetish.

Anyway, just got back from a very enjoyable work trip to find my visa documents have arrived -- so things are probably going to heat up 'round about Thursday, when I have my interview at the US Embassy. Once that happens, it's full speed ahead on flights, shipping, figuring out how to transport the cat, handing over house to new tenants, etc. etc...

Bitstream come through with Vera

Published February 23, 2003

Bitstream Vera released as a beta. The full release, sometime next month, will use an extremely open license. To quote the FAQ:

Are derivative works allowed?

Yes!

I want to sell a software package that uses these fonts: Can I do so?

Sure. Bundle the fonts with your software and sell your software with the fonts. That is the intent of the copyright.

Hey presto -- open source fonts! Good work by Jim Gettys, Bitstream and GNOME in making these available.

World’s first 419 revenge killing? (fwd)

Published February 21, 2003

BlogStart:

Spam: The Register: World's first 419 revenge killing?

Michael Lekara Wayid, 50, Nigeria's consul in the Czech Republic, was shot dead at the embassy yesterday morning. The embassy's 37-year-old receptionist was shot in the hand during the melee which began after a suspect opened fire after visiting the embassy to discuss an unspecified business matter yesterday morning. A 72-year-old Czech man was arrested at the scene on suspicion of murder, the BBC reports. Unconfirmed, and thus far sketchy reports, suggest the unnamed suspect was a victim of a 419 (AKA advanced fee) fraud.

Now that's taking it a bit too far IMO ;)

A new world for radio regulators

Published February 21, 2003

GNU Radio, which (as noted on Boing Boing) has just released screenshots of a successfully-decoded HDTV signal, is a totally new way to receive (and possibly, in the future, send) radio-frequency signals. The FCC ponder the implications:

The emergence of the low-cost, generally available SDR which can be configured with ... open software will present a new issue for regulators. What will be placed in the hands of the public entrepreneurs, amateurs, and even those with malicious intent will be machines which in principal can emulate, send, and receive any radio signal on any band. ...

Then, with the world-wide availability of software that can even be modified if needed, any radio transmitter or receiver can be emulated. Bans on receiver types will be circumventable with ease. Mandates such as the proposed ATSC broadcast flag will be hard to enforce (and may even fail in the presence of a single web-connected noncompliant receiver). And, although not generally an issue for the Commission, it will be possible to implement proprietary systems without the benefit of any license from the patent holder. Because the software is open, as a practical matter virtually all mandated restrictions will be at risk (except for total power output which remains a classical hardware issue). ...

In the GNU SDR environment, we have the makings of a powerful new technology that has the potential of solving the spectrum management problem, but we may also have other people in the world writing and distributing software with their own agenda.

Wow. That's a brave new world. I wish I knew enough about radio tech to really get a handle on this stuff...

AOL reports on its spam-blocking efforts

Published February 21, 2003

Lycos: AOL reports to Members on Its Efforts to Fight Spam. 'Members Now Reporting 4.1 Million Junk E-Mails Daily To AOL' .... 'AOL announced that its proprietary anti-spam filtering technology is blocking up to 780 million pieces of junk mail every day from reaching member e-mail inboxes, which amounts to an average of 22 blocked spam e-mails per account daily.'

Of course, they don't say how much mail overall arrives at AOL, but I'd hazard a guess it's not much over 1,300 million messages per day based on those figures.

Hotmail getting tough on spammers

Published February 19, 2003

Reg: Hotmail files anti-spam lawsuit. 'Microsoft has targeted spammers with a lawsuit aimed at bulk mailers who harvest email addresses of Hotmail subscribers in order to bombard them with junk. ... In the suit, Microsoft alleges that unnamed bulk mailers used tools to randomly generate email addresses prior to testing this list out to see which accounts were active. Essentially this is a form of dictionary attack, which Microsoft argues violates federal laws including the Computer Fraud and Abuse Act. Trespass is also involved in the attacks, the software giant argues.' Go Hotmail!

Also noteworthy: Out-Law.com: The Spammers Are Watching You: 'Eight out of ten spam e-mails contain covert tracking codes which allow the senders to record and log recipients' e-mail addresses as soon as they open the message.' well, duh, that's why SpamAssassin has a WEB_BUGS rule. Unfortunately, eight out of ten legit HTML newsletter mails also contain web bugs, too. :(

Incredible Documentary on the Venezuelan Coup

Published February 19, 2003

last night RTE showed Chavez - Inside The Coup, a documentary about the 2-day coup d'etat in Venezuela in April 2002 which overthrew Hugo Chavez, and was then in turn overthrown in a popular uprising.

It was incredible. The team had amazing access to Chavez and the presidential palace while the 2-day coup and mass protests went on. The cameras are right there while Chavez is taken into custody by the generals, carries on rolling through the censorship of the media, through the street protests and shotgun-blasting riot police, and then catches the loyal-to-Chavez presidential guard retaking the palace from the inside.

Finally, it follows the negotiations to get Chavez returned from custody etc.; his cabinet are right there, on screen, talking to the generals on the phone while you watch and listen. Incredible footage, right from the thick of it.

As far as I could tell, it's called Chavez - Inside The Coup, and is by Power Pictures, Irish lads from Galway, no less.

I've never seen anything like it. If you get a chance, don't miss it.

Sony’s Civil War

Published February 18, 2003

Wired: The Civil War Inside Sony.

By rights, Sony should own the portable player business. The company's first hit product, back in the '50s, was the transistor radio, the tinny-sounding invention that took rock and roll out of the house and away from the parents and allowed the whole Elvis thing to happen. A quarter-century later, the Walkman enabled the kids of the '70s to take their tapes and tune out the world. But the 21st-century Walkman doesn't bother with tapes or CDs or minidiscs; it stores hundreds of hours of music on its own hard drive. And it sports an Apple logo. ....

Where the iPod simply lets you sync its contents with the music collection on your personal computer, Walkman users are hamstrung by laborious 'check-in/check-out' procedures designed to block illicit file-sharing. And a Walkman with a hard drive? Not likely, since Sony's copy-protection mechanisms don't allow music to be transferred from one hard drive to another - not an issue with the iPod. 'We do not have any plans for such a product,' says Kimura, the smile fading. 'But we are studying it.' ....

What's changed since the original Walkman debuted is that Sony became the only conglomerate to be in both consumer electronics and entertainment. As a result, it's conflicted: Sony's electronics side needs to let customers move files around effortlessly, but its entertainment side wants to build in restraints, because it sees every customer as a potential thief.

Ashutosh Varshney on ethnic conflicts

Published February 18, 2003

Great interview with Ashutosh Varshney, an Indian political scientist investigating ethnic violence. From New Scientist, via Damien Morton on FoRK.

So what is the key to predicting which communities will turn violent and which will remain peaceful in times of ethnic unrest?

It comes down to how the cities or villages are structured, and the networks that people form across religious or ethnic divides. In India I have identified two types of civic network, which I call the associational and the everyday. The everyday type covers things such as Hindu and Muslim children playing together and their families and friends visiting each other or eating with each other, or taking part in festivals together. The associational type involves the two groups being members of the same trade unions, sports clubs, student unions, reading clubs, political parties or business organisations. Associational structures go beyond neighbourhood warmth, and in times of unrest they are much more robust. They can be a serious constraint on the polarising strategies of political elites. Places with strong networks of this kind are very likely to remain peaceful.

Reverse-engineering: now even easier with added XML

Published February 17, 2003

Slashdot posts a story about 'Hacking the Streamium' -- the Streamium is an 'internet micro hi-fi' made by Philips. The poster writes 'the main gripes (are) that Philips controls which Internet radio stations you can listen to and that the PC-link software ... only runs on Windows. I managed to fix both of these problems by reverse engineering the PC-link protocol and writing my own pc-link server in perl, which can be run on practically any OS, *and* can trick the Streamium into playing any Internet MP3 stream that you want'.

A quick look at his page notes 'the protocol consists of fairly simple xml tags'. It sure does; I'd imagine it took all of 5 minutes with a tcpdump reversing that! In fact, it looks so easy to reverse-engineer, you'd have to wonder if the engineers at Philips weren't hoping something like this might happen ;)

Marching on Traffic-cam

Published February 16, 2003

traffic-camera pictures of the London anti-war march! What would J. G. Ballard make of this? ;)

and here's Hyde Park:

Unfortunately none similar of Dublin.

In passing -- an interesting factoid found on Adam Back's PGP Timeline page: 'While Iraq was still a secret US ally against Iran, Iraqi exchange students (in the US) using the same literature as (Phil Zimmermann, inventor of PGP) later did, wrote a working (Public Key) cryptosystem for (the Iraqi) military - which was using poison gas against the Kurds at the time.' Hmm, ironic!

Everest Base Camp to get internet cafe

Published February 16, 2003

BBC: High hopes for Everest cybercafe. 'Tsering Gyalzen hopes the internet facility at Mount Everest base camp will open by March. Proceeds from the venture will support pollution control at the camp, which is used by climbers hoping to scale the world's highest peak. Mr Gyalzen, a member of the Sherpa community, says launch plans for the ambitious project are in the final stage. He told the BBC he was awaiting permission from the authorities to install VSAT digital satellite and other equipment at the base camp, which is over 5,000 metres above sea level.' How cool is that?

Mark Fletcher and Trustic

Published February 16, 2003

Mark Fletcher is the guy behind Trustic, a new system which combines aspects of DNSBLs with (what Raph reckons is) a 'PageRank-ish trust metric'.

My take on Trustic is that it needs a way to accumulate trusted, non-spam-relaying addresses; I'm not sure how they intend to get that, apart from people setting up accounts to say 'this is my server'.

Anyway, he also has a blog, with this very interesting (and scary) snippet:

Elance, Spammers, and the Global Economy

eLance is a web site that connects contractors with companies looking to outsource projects. Companies post projects, including detailed descriptions of the work to be done, and contractors or contract houses bid on them. ... So what were many of the projects on eLance about? A quick scan revealed project titles such as: Email Address Extraction From Web Site, Ebay Email Extractor, Linux highspeed directmailer, and Bulk E-Mail and E-Mail Extraction Project. Elance is providing a way for spammers to develop new spam technologies, utilizing a cheap, skilled global work force!

Yikes. Sure enough, a search of eLance for 'bulk mail' reveals a seller called bulkemail01 (1-5 employees, headquartered in the USA): Bulk Mailing and Offshore Hosting Solutions: ' We provide bulk email soultions and offshore hosting for the advanced bulk mailer.'

And these projects -- as Mark notes, the project descriptions require a login, but the prospective-seller comments do not, so I've reproduced some snippets here. A search for bulk mail reveals 11 open projects, including: Bulk Mail Server and Bulk Mail Service Needed Immediately, Bulk E-Mail and Targeted E-Mail Extraction Project, Distributed Bulk Emailer, and bulletproof hosting and mailing needed.

A bunch called DbInnovation, 10-13 employees, based in Hungary and Russia, comments on one project that 'we are developing a high performance linux e-mailer. Sends through all kinds of proxies, uses several antifitering techniologies, uses random subjects and 'from' addresses, etc, etc, etc (LOTS of other features). Web-based control centre for it. The mailer can be run on 30-50 servers simmultaniously and controlled from one place. Every server sends LIGHT FAST - 5-7 millions daily. It is VERY complicated and POWERFULL clustered software. It was written on C and it tunes Linux kernel to make the speed as fast as possible. The sw is under redevelopment and will be ready to March.'

Hostrus, aka 'Hosting R Us', 6-19 employees, Toronta, Canada: comments 'We offer reliable spam tolerant bullet proof hosting that will NEVER get shut down!! we provide reliable bullet proof hosting We can provide you with references,test IPs and provide you with a solution'.

dsln (profile 'no longer available'): We have servers in Jakarta, Indonesia, India, Japan , Brazil, Arentina, Russia. And all of them are BULK EMAIL FRIENDLY. You server will never e SHUT DOWN due to complains. The ISP's will take up all the heat,what soever. The line would be 2MBPS one.You will also get 16 IPs per server, which can be changed every 15 days as you want. New Pool of IPs can be given to you every 15 days. These servers can be utilised very well for the mailing, you ae looking at. ... We can do these kind of mailing for you. We mail arround 8-10 Million email IDs , using several servers and can do this kind of mailing for you as well. The cost for sending 10 Million emails would be $1050.

MobileSoft (Karachi, Pakistan): 'We can provide you the SPAM Friendly Dedicated servers with control panel , we can handle more than 50 K Complaints daily, we will provide you the ips as your requirement'.

prompt (Anmol Solutions, Argentina): 'I can host you at 4 bullet proof places, 2 in Arg and brazil each, i can give you 2 *256 ips if you want and you will have 10 MPBS line. For each server you will be charged $250 per month and $400 setup charges, you may easyly go upto 25 servers with the same amt of bw yes u may mail u may host u may do what ever you want :)'

A couple of other sites show the same situation: here's a project at ContractedWork.com to build a 'Bulk Mailer using open Proxies'.

In other words, these sites provide what seems to be a good look into the heart of spamware development. Scary stuff.

BTW an open invitation: if any 'white hats' out there get their hands on specific spamware, I'd appreciate them dropping me a line (email addr here). The idea is to analyze the tools and get good signatures for their spam, then add those signatures to SpamAssassin.

In other news, Slashdot reports that SpamAssassin apparently blocks Crypto-Gram. Not quite the case: as Dan points out, it gets 3.2 on version 2.44, and 1.9 on the nearly-released 2.50. That's well inside the 'this is ham' range. However, this comment reports that the mail has been listed in Razor, which pushes it up to 5.9...

So more correctly -- Razor thinks it's spam, not SpamAssassin ;)

Richard Dawkins on GM foods

Published February 14, 2003

Richard Dawkins: why Prince Charles is so wrong (via BB).

An interesting read, if only because Richard Dawkins misses several massive chunks of the anti-GMO argument, as several folks point out on the BB discussion board. Firstly, the profit drive is the only thing driving deployed GM products, and that's already been shown to produce unsafe results, in the UK with BSE. Secondly, as one of the posters says, 'Oh, yeah -- Dawkins is absolutely right (in comparing GM to modifying running software): Nothing to gripe about when people tinker with your mission critical apps'.

**GTA: Vice City**

Published February 11, 2003

Grand Theft Auto: Vice City has been nominated for the Designer of the Year award in London:

'We will be highlighting the reason why it is worthy for this prize,' (the curator) added, noting the game's attention to detail in costuming, music and atmosphere.

'I've never been so excited to just watch a video game, never mind playing it,' said Sellers. 'It is really great to see all the details and feel the nuances. Playing it is even better.'

I must say, I have to agree. It's easily one of the best games I've ever played; insanely playable and full of amazing attention to detail. The content's a bit strong in places, but the same can be said of Mean Streets or Scarface, and I'm sure they may have picked up an award or two themselves, along the way. It's just (interactive) fiction.

Proposed Irish data retention laws

Published February 10, 2003

Karlin notes this about 'the extraordinary letter the Department of Justice sent out this week to various parties'.

According to the letter, the Department will hold a preliminary forum to 'initiate' a consultation process on its proposed three-year data retention bill ... The forum begins at 3pm -- clearly making sure no long and unruly discussions will develop! -- and starts with a 20-minute address by the Minister, followed by a 20-minute address by the Dept of Communications on the 1997 EU Data Privacy Directive (which, BTW, Ireland STILL has not implemented despite being under legal threat by the EU -- and note that there's no mention of the far more crucial 2002 amended Directive, voted in last May by a spineless and ill-informed EU Parliament, which allows for up to SEVEN YEARS data retention.

Then -- and this is the amazing bit -- attendees get a 20 minute pep talk by An Garda Siochana (the Irish police force) 'on the contribution of data retention in the fight against crime.'

When you pick yourself up off the floor, remind yourself that this is the Irish government's formal initiation of a purported public discussion on data retention -- brought to you by the Irish police. Amazing. You'd have thought they'd at least *pretend* to be balanced and disinterested, and perhaps ask Joe Meade, the Irish Data Protection Commissioner, to contribute as well. ...

The Department of Justice itself should have nothing whatsoever to do with ANY consultation process on this proposed bill. Instead, as in the UK, an independent Dail group should hold hearings and get public input into this.

SpamAssassin makes the New York Times!

Published February 10, 2003

James Gleick: A Plague on E-Mail, in yesterday's New York Times magazine. We've broken out of the 'technology' section!

One of the best tools for network administrators is an ever-evolving program called SpamAssassin, which uses a range of tests and a point system to identify spam...

It's so cool that James Gleick likes our 'delightful SpamAssassin irony', too ;)

They seek him here, they seek him there…

Published February 10, 2003

Looking for an old mate, Alan Toner, and it's turning out to be tricky; the last mail address I had for him now bounces.

It seems all three. He gets around!

IraqBlog

Published February 9, 2003

Dear Raed -- a blog from an Iraqi bloke called Salam Pax. It's amazing to read this; a true, educated, passionate, reasonable voice from inside Iraq.

The trenches and sandbag mountains I wrote about last week are now all over Baghdad. They are not being put there by the army; they are part of the Party's preparations for an insurgence. Each day a different area of Baghdad goes thru the motions. Party members spread in the streets of that area, build the trenches, sit in them polishing their Kalashnikovs and drink tea. The annoyance-factor of these training days depend on the zeal of the party members in that area. Until now the worst was the (14th of Ramadan) street, they stopped cars searched them and asked for ID and military cards, good thing I wasn't going thru that street, I still have not stamped my military papers to show that I have done my reserves training.

Totally off on a tangent, but that street-name reminds me of a line from McCarthy's Bar (extract here):

In Germany once, in the military garrison town of Erlangen, I had a few drinks with three American GIs who were planning to visit England because it would be neat to see where John Lennon and Elvis grew up'. They also wanted to know if they could use dollars, and would the street signs be in English? I tried to tell them about Elvis coming from Tennessee, but it seemed to make them want to kill me. The Twenty-eighth Rule states: Never Get Drunk with Soldiers (particularly in countries where the streets are named after dates).

SHOWDOWN in the CRISIS in the WAR in IRAQ in the GULF

Published February 8, 2003

SomethingAwful provide their own inimitable spin on how the potential war in Iraq will be fought, featuring Operation: Fifty Legions of Sardaukar ('Imperial strategists estimate minimal casualties among the Sardaukar troops and allied forces of Baron Tony Blair and House United Kingdom'), and Operation: Winnuke ('US_of_A(NATO) wants to send you the file Dance_Routine(Funny!).wmv.vbs').

Spam about spamming

Published February 7, 2003

how unfortunate! I guess this spammer hit the wrong key when selecting which set of addresses to send this mail to...

Joshua,

Here is the harvested list 165 names for telecom central office installation. Put together a email promo that we can send out.

Dad

Subject: Telecom email broadcast marketing
From: "Larry" (spam-protected)
Date: Fri, 7 Feb 2003 07:12:43 -0700 (14:12 GMT)
To: "Joshua Dyer (E-mail)" (spam-protected)

(Here's the full text, headers and all:)

From (spam-protected) Fri Feb 7 17:57:50 2003 Return-Path: (spam-protected) Delivered-To: (spam-protected) Received: from localhost (jalapeno)
by jmason.org (Postfix) with ESMTP id 119CB16F17 for (spam-protected) Fri, 7 Feb 2003 17:57:49 +0000 (GMT) Received: from jalapeno by localhost with IMAP (fetchmail-5.9.0) for (spam-protected) (single-drop); Fri, 07 Feb 2003 17:57:49 +0000 (GMT) Received: from mail.oelsales.com ([216.205.114.98]) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id h17Fv7E22990; Fri, 7 Feb 2003 15:57:09 GMT Received: from LARRY by mail.oelsales.com with ESMTP (SMTPD32-7.13) id AF4F931006A; Fri, 07 Feb 2003 08:14:39 -0600 From: "Larry" (spam-protected) To: "Joshua Dyer (E-mail)" (spam-protected) Subject: Telecom email broadcast marketing Date: Fri, 7 Feb 2003 07:12:43 -0700 Message-Id: (spam-protected) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0503_01C2CE78.4F82BA40" X-Priority: 3 (Normal) X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) X-Mimeole: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal X-Spam-Status: No, hits=4.5 required=5.0 tests=BAYES_30,HTML_70_80,HTML_FONT_COLOR_BLUE,
HTML_FONT_COLOR_GREEN,HTML_FONT_COLOR_RED, HTML_FONT_FACE_ODD,HTML_MESSAGE,RCVD_IN_NJABL, SMTPD_IN_RCVD,X_NJABL_OPEN_PROXY version=2.50-cvs X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50-cvs (1.167-2003-02-03-exp)
This is a multi-part message in MIME format.

------=_NextPart_000_0503_01C2CE78.4F82BA40

Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit
Joshua,

Here is the harvested list 165 names for telecom central office

installation.

Put together a email promo that we can send out.

Dad

Larry Dyer, President

OEL WORLDWIDE INDUSTRIES : Worldwide Optics PO Box 445 Palmer Lake, CO 80133 websites: www.oelsales.com & www.worldwideoptics.com Corporate: 719 559-0951 Fax: 719 559-0955 National Sales: 800 818-2244
------=_NextPart_000_0503_01C2CE78.4F82BA40
Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Joshua,
 
Here=20 is the harvested list 165 names for telecom central office=20 installation.
 
Put=20 together a email promo that we can send out.
 
Dad
 
Larry Dyer,=20 President
OEL=20 WORLDWIDE INDUSTRIES :
Worldwide =
Optics
PO Box 445
Palmer Lake, CO = 80133
Corporate: 719 = 559-0951
Fax: 719 = 559-0955
National Sales: = 800 818-2244

 
 
 
------=_NextPart_000_0503_01C2CE78.4F82BA40--

Jhai Foundation notes bus attack in Laos

Published February 7, 2003

The latest Jhai Foundation newsletter notes an attack on a bus in Laos:

Some of you may have heard about a 'terrorist attack' in Laos yesterday. The reports are true. Eight People on a bus and two people on motorcycles were killed after a robbery. Two of them were internationals. Their identities and nationalities have not yet been confirmed. The attackers are thought to be Lao citizens, probably Hmong, possibly still caught up in the war that ended 28 years ago here. This will not be confirmed until they are caught.

This incident took place more than 30 km North of Vang Vieng or about 100 km North of our launch site. This is a sad day in Laos.

Whoa, I think I was on that bus a year ago! As I recall, that area of Laos is still noted for occasional bandit attacks...

Date: 07 Feb 2003 22:29:44 +1100
From: (spam-protected)
To: (spam-protected)
Subject: Jhai Foundation Remote Villages Network Update, Security Issues, New FAQs, Press Visas

<

table width="75%" border="0" cellpadding="5" align="center">

Jhai

Foundation Remote Villages Network.

An

update from Lee,
New FAQ's,
Security Issues and

If You Need a Press Visa

<

p>

Contacts:


<

p> Jesse Thorn 1 415 225 1665,

Earl Mardle 612 9787 4527,

Jhai's

Enthusiastic "Ground Level"

support team.

From

Lee Thorn in Laos

Dear friends,

We are on

track and we will launch on 13 February. Lee Felsenstein arrived last

night and is whipping us into shape in his gentle, nerdish way. Ed Gaible

arrived with him and is now up a tree on a mountain above the village

of Phon Kham. All of us - about 40 people between the village and our

staff and volunteers - are working hard and our spirits are high.

A

Sad Day For Laos

Some

of you may have heard about a 'terrorist attack' in Laos yesterday. The

reports are true. Eight People on a bus and two people on motorcycles

were killed after a robbery. Two of them were internationals. Their identities

and nationalities have not yet been confirmed. The attackers are thought

to be Lao citizens, probably Hmong, possibly still caught up in the war

that ended 28 years ago here. This will not be confirmed until they are

caught.

This incident

took place more than 30 km North of Vang Vieng or about 100 km North of

our launch site. This is a sad day in Laos.

Security

Arrangements For The Launch

As I write, Vorasone Dengkayaphichith, our great country coordinator,

is meeting with officials in Hin Heup District and Vientiane Province

to make final arrangements for security for all people at our launch and

party on 13 February. Vor and I know many, many children in the village

of Phon Kham and the other villages and Bounthanh has nieces and nephews,

and sisters and brothers and her parents there, too. Those children will

be safe - and, I believe, we will be safe, too.

Our remote

village project is a sophisticated, appropriate high tech endeavor designed

by Lee Felsenstein and his excellent team specifically for the needs as

expressed by the villagers who are getting the system.

And this

project rests in Jhai Foundation, ... which is a reconciliation organization

which, now, has worked for over five years in Laos, and nearly three,

now, on state-of-the-art IT projects. Jhai Foundation is we people in

it and our relationships - and there are hundreds of us doing something

every day - and we are located all over the world.

Reconciliation,

like peace - and like development - is the opposite of war. Reconciliation

is the process of recognizing our connection - something that always was

and always will be, something very, very valuable. Jhai - in Lao - means

the spirit and energy of connection, as well as hearts and minds working

together ... and many other similar things. It is neutral. It is up to

us how we act, how we respect.

War and peace

are matters of choice. Sometimes we choose to close down and kill. For

this - I know and most Lao people know - you pay until you die. The price

is unbelievably huge. Other times we choose to open up and connect. For

this - thanks to Lao people who teach me about this daily by the way the

are and act - I know you get the chance for joy, the chance to recognize

others as just plain people ... and the chance to know and like yourself.

The choice, it seems, is easy. What shall we take?

In an age

of terrorism - which breeds fear like a virus - it is best to connect.

We choose to connect, to move forward, to do what we can do - with you

A sextet of ales!

Published February 7, 2003

subject line of the week -- sounds like the spammer's been listening to Homer's Vocabulary Builder tape:

Subject: < Hi Jm, I am Bella, concupiscent youngster >

Apple’s ‘Bounce To Sender’ a Bad Idea

Published February 7, 2003

Matt journals a snippet from Apple's eNews newsletter (originally forwarded by Skip Montanaro on the spambayes list), as follows:

Delivering a One-Two Punch to Spammers

Yes, Mac OS X Mail can help you deliver a staggering blow to spammers. Simply pull down the Mail menu, choose Junk Mail, and select Automatic. The next time you receive email, Mail will move suspect email into a Junk folder.

Now you're ready to deliver a real knockout punch to spammers by taking advantage of yet another potent spam-fighting weapon:

  1. Click on the Junk folder.
  2. Type Command-a to select all of the email in the Junk folder.

  3. Choose Bounce to Sender from the Message menu.

    Mail will return the selected messages to the senders marked User unknown, making them think your email address invalid, encouraging them to drop you from their lists, and, thus, eliminating spam at its source.

Read on for details as to why this does not work (warning: long).

Subject: Bad move, Apple
From: Skip Montanaro (spam-protected)
Date: Thu, 6 Feb 2003 11:45:24 -0600 (17:45 GMT)
To: (spam-protected)

Got this in today's Apple eNews mailing:

  1. Delivering a One-Two Punch to Spammers .........................................

    Yes, Mac OS X Mail can help you deliver a staggering blow to spammers. Simply pull down the Mail menu, choose Junk Mail, and select Automatic. The next time you receive email, Mail will move suspect email into a Junk folder.

    Now you're ready to deliver a real knockout punch to spammers by taking advantage of yet another potent spam-fighting weapon:

  2. Click on the Junk folder.
  3. Type Command-a to select all of the email in the Junk folder.

  4. Choose "Bounce to Sender" from the Message menu.

    Mail will return the selected messages to the senders marked "User unknown," making them think your email address invalid, encouraging them to drop you from their lists, and, thus, eliminating spam at its source.

    http://www.apple.com/macosx/jaguar/mail.html

Justin's comments:

This sounds like an attractive idea at first -- mail 'user unknown' Delivery Status Notifications back to the spammers, and they'll take your address off their lists. However, it doesn't work, and may actually send more noise to non-spammers. Here's why.

  • First of all, most spam these days is sent using one of three
    • originating-address methods. The first is totally randomly generated From, Reply-To and/or Errors-To addresses, typically at a big ISP like Yahoo! or Hotmail. So replying to these with a 'user unknown' DSN will result in nothing more than wasting your own, and that ISP's, bandwidth, as the address never existed anyway.
  • The second method is for the spammers to use a random address plucked from the same 'addresses to spam' list your name is on. So your 'user unknown' DSN will be sent to someone else on the spam-list, increasing the amount of crap they get in their mailbox. Oops.

  • Third is the joe-job. This is where the spammer has deliberately picked the address of someone they dislike, so that a barrage of complaints, legitimate 'user unknown' messages, and -- yes -- forged 'user unknown' messages! -- will be sent to that person. Generally, if an spam-fighter gets joe-jobbed, you can be sure they're doing something right ;)

Next -- even if the spammers were to see your 'user unknown' message, they do not act on it:

  • There is a way for 'user unknown' messages to be communicated back to

    • the spammer (by doing it in the very first SMTP transaction). However, many folks who have tried this method have noted that it has no effect; spamware tools take a 'fire and forget' approach.

      After all, spammers want to send the mail as fast as possible, before they're blocked from the relay or proxy they're abusing, and before the DNSBLs and Razor react. So the method is simply to send as much mail as possible, without waiting for replies, and with as little identifying information as possible (to make it hard for them to be tracked down). In other words, any data coming back from the receiver is worthless to them, and may in fact get them shut down, so must be avoided.

  • Another factor is that, if your address is one of those 'Addresses on CD', you've got hundreds of spammers you'll need to send bounces to (and hope they honour them). Each one of those spammers has a different copy of the address list, so removal from one -- if it happens -- won't help with removal from the others.

  • Yet another aspect is that they do not want to reduce the number of addresses they send to. Spam economics is such that 2,000,000 addresses on CD are worth more than 1,000,000 addresses on CD, and who cares if half of them bounce, 'cos you've paid your money already ;)

So, anyway, that's why sending fake-bounces in response to spam is bad.

One pay-off, however, is that it makes the creation of spam-traps easy:

HOW TO MAKE A SPAM-TRAP

  • Take an old account that gets too much spam, set up an auto-reply saying
    • "this person has moved to (spam-protected) (although probably using a less machine-readable address format).
  • 3 months later, delete the account so it bounces with 'user unknown'. That should clear out all the well-behaved mailing lists.

  • 6 months later, redirect it to yourself and monitor it, to catch the badly-behaved legitimate bulk mailers who do not handle bounces correctly (yes, there's a few of these, unfortunately.)

  • 1 month after that, set up an alias that runs "spamassassin -r". Install Razor, DCC and Pyzor. Set up a Razor account. Fix the old account's addresses so they forward to this alias. Also worth piping it to the Blitzed.org OPM checker.

Hey presto, there's your spam trap!

GNOME 2.2

Published February 6, 2003

GNOME 2.2 includes nifty new font technology, I see; including 'drag into ~/.fonts' font installation, at last, thanks to Keith Packard. I especially like this:

Jim Gettys and the GNOME Foundation Board worked with Bitstream, Inc. to arrange the donation of the Vera font family to the Free Software community.

Here's what Vera looks like; very nice. Finally, some decent free fonts -- kudos to Bitstream.

And I see subpixel smoothing is now right in there, in the basic font preferences. Excellent news!

But where TF is the Metacity documentation? Maybe there's none, in the tradition set down over generations of GNOME hacks^Wapplications. (Pet peeve: every command in the default PATH should have a manual page IMO.)

The 'documentation' and 'home page' links I can find all lead to a directory of tarballs. Great. The best result Google can find, after the aforementioned tarballs, is a blog posting complaining about Metacity. Hmm -- scary -- I really don't like the implication that the only way to do my own key-binding prefs, is to run a batch of 15 gconftool commands every time I log in... ah shaggit, I'll use sawfish ;)

(PS: yes, I'm still on GNOME 1. That's what happens when you're stuck on the wrong end of dial-up.)

Crypto: The Crypto Gardening Guide and Planting Tips by Peter Gutmann. Excellent advice on how crypto designers should design protocols so that they can actually get implemented. Also, as a corollary; good tips on common crypto gotchas for implementors to watch out for. Some bonus funnies, too:

Note: PGP adopts each and every bleeding-edge technology that turns up, so it doesn't figure in the above timeline. Looking at this the other way, if you want your design adopted quickly, present it as the solution for an attack on PGP.

A little bit more introduction on some of the items would be worthwhile though. I don't have a clue what OAEP is for example ;)

Auth cookies in SMTP

Published February 4, 2003

Jeremy describes a way to kill off 'joe-jobs' -- the practice of forging somebody's address on spam, generally used to get around 'does this user exist' spam-filters, also used to 'punish' folks the spammer doesn't like. Anyway, JZ's suggestion is this:

One of the ideas tossed about was to implement a system that would make it easy for any MTA (Mail Transfer Agent--the programs that deliver e-mail on the Internet) to verify that a message that claims to be from somebody@yahoo.com really is from a yahoo.com user.

This is technically doable. And it might be a good idea. Especially, as I argued, if one of the other big players (AOL or MSN/Hotmail) jumps on board and uses the same technique. If either one began to do the same, I expect that a domino effect would follow. Boom. Instant adoption.

But then he doesn't say how to do this in a way that a spammer can't forge. Dammit. ;)

Anyway, on with the message.

... However, one interesting objection was raised during the debate...

Wouldn't that just cause spammers to prey on domains that are less equipped to 'swallow a few million bounces per hour without breaking a sweat'? (To paraphrase a co-worker.)

Yep, it would -- until those domains also instituted similar systems. Anyway, those domains are victims now anyway; I would say only about 50% of my spam comes from forged Yahoo!, Hotmail or other domains -- the rest uses domains of small ISPs, and the occasional joe-job.

But back to the system. I would guess what Jeremy's talking about is pretty similar to the system Pedro Melo describes in the comments. It consists of 2 components:

  • a header added by the MTA at relay time -- X-Originator-Signature.
    • This contains 'an internal identifier for the person who sent it ..., a timestamp, and a MD5 of those two fields and a third secret passphrase I keep.'

  • a CGI script on a web server, which validates a pasted X-Originator-Signature header against what hashing those values with the secret passphrase produces, and responds 'yea' or 'nay'.

A nifty idea. Jeremy, was that what you were thinking?

SOAP and firewalls

Published February 4, 2003

Taking a look at the referrers, I came across Mark O'Neill's weblog, which lists taint.org on the blogroll; Mark's the CTO of Vordel. They have a product called VordelSecure, which seems to be a SOAP firewall proxy, in the same way the Wonderwall product I wrote for Iona was a proxy for CORBA:

When a firewall examines a SOAP request received over HTTP, it might conclude that this is valid HTTP traffic and let it pass. Firewalls tend to be all-or-nothing when it comes to SOAP. A SOAP-level firewall should be capable of:

  1. Identifying if the incoming SOAP request is targeted at a Web service which is intended to be available

  2. Identifying if the content of the SOAP message is valid. This is analogous to what happens at the Network Layer, where IP packet contents are examined. However, at the Application Layer it requires data that the Web service expects.

Cool!

I hear Wonderwall is still around, but rewritten from the ground up. Sorry about that to whoever had to rewrite it ;)

FTC to hold spam summit

Published February 4, 2003

FTC to Hold Three Day Public Spam Workshop. 'The Federal Trade Commission will host a three-day 'Spam Forum' Wednesday, April 30 through Friday, May 2, to address the proliferation of unsolicited commercial e-mail and to explore the technical, legal, and financial issues associated with it. The forum will be held at the Federal Trade Commission, 601 New Jersey Avenue, N.W., Washington, D.C. It will be open to the public and preregistration is not required.

A Federal Register notice to be issued shortly says, 'To explore the impact that spam has on consumers' use of e-mail, e-mail marketing and the Internet industry, the Commission will convene a public forum. E-mail marketers, anti-spammers, Internet Service Providers (ISP), ISP abuse department personnel, spam filter operators, other e-mail technology professionals, consumers, consumer groups, and law enforcement officials are especially encouraged to participate.''

Anti-Americanism and Anti-Europeanism

Published February 3, 2003

In the last few weeks, there's been a growing discussion of what's being perceived as an 'anti-American' point of view in Europe; see Thomas Friedman on the subject. On the other side, The New York Review of Books carries an interesting essay on this subject: Anti-Europeanism in America. It contains this revealing summary of a December 2002 study:

Asked to choose one of four statements about American versus European approaches to diplomacy and war, 30 percent of Democratic voters but only 6 percent of Republican voters chose 'The Europeans seem to prefer diplomatic solutions over war and that is a positive value Americans could learn from.' By contrast only 13 percent of Democrats but 35 percent of Republicans (the largest single group) chose 'The Europeans are too willing to seek compromise rather than to stand up for freedom even if it means war, and that is a negative thing.'

The divide was even clearer when respondents were asked to pick between two statements about 'the way in which the war on Iraq should be conducted.' Fifty-nine percent of Republicans as opposed to just 33 percent of Democrats chose 'The US must remain in control of all operations and prevent its European allies from limiting the States' room to maneuver.' By contrast, 55 percent of Democrats and just 34 percent of Republicans chose 'It is imperative that the United States allies itself with European countries, even if it limits its ability to make its own decisions.'

It seems a hypothesis worth investigating that actually it's Republicans who are from Mars and Democrats who are from Venus.

Cannabis Economics

Published February 2, 2003

and now, on a lighter note, The Observer reports that the 'cannabis economy' in the UK is worth 11 billion UKP a year:

A major new study is being used to advise well known household and high-street companies about the gains and losses they face as cannabis smoking becomes commonplace. Research has revealed that Britain's 'cannabis economy' is worth 5 billion a year in sales alone. Now it has been discovered that a further 6bn of consumer expenditure each year is closely linked to the growing cannabis-users' market.

'Young people between 15 and 30 are very trend-conscious and aspirational,' said Andy Davidson, who commissioned the study for The Research Business International, trend analysts who tracked the spending habits of young people for six months.The study found that cannabis users spend an average of UKP 20 on products that accompany their drug use each time they smoke.

Because smoking cannabis heightens appetite, users are providing a UKP 120 million weekly windfall to a string of takeaway food suppliers, such as Domino and Pizza Hut, and manufacturers of 'munchie' products such as Mars bars and Haribo jellies.

The explosion of Columbia

Published February 2, 2003

as everyone knows by now, the space shuttle Columbia has exploded on re-entry over Texas. It's an extremely sad occasion, and a terrible thing to happen.

Lots of people look on space exploration, and the astronauts who do it, as something mundane. No way -- it takes a certain kind of bravery and heroism to do this. Every astronaut (from what I've read) is clearly aware of the odds that the vehicles they use have a large likelihood of suddenly exploding beneath their feet -- and is therefore taking a huge risk on behalf of humanity, and the expansion of human knowledge. They should be viewed as heroes, as a result.

I just hope the ISS project, and manned spaceflight in general, continues...

Some off-beat news links you may not have seen:

Durian fruit

Published January 30, 2003

CNN: A box of durian, sprinkled with carpet deodorizer, sparked an aviation alert in Australia on Thursday (via monkeybum):

When they finally found the source of the smell, it was a box of durian, a large, spiny tropical fruit renowned for its fetid aroma. While many people in Southeast Asia consider the durian a delicacy, it is banned from Singapore's subway and some restaurants in the region because of its overpowering smell.

'This wasn't a safety issue, this was gross issue -- no one wants to fly in an airplane that smells like that,' (Virgin Blue boss Brett Godfrey) said. He compared the smell of the gourmet fruit to 'something you'd find in your outdoor dunny' adding that 'it just is the most pungent, disgusting smell.'

No shit -- durian really stinks. I've tried to cultivate the taste for it, but failed miserably. Worse, for 3 hours in the passenger seat from Khao Sok to Surat Thani in Thailand, I was stuck with a selection of 'em by my feet -- no escape!

The nearest thing to their odor is really pungent, cheesy socks. 'foetid' is the word for it.

7.5% of Euro households have broadband

Published January 30, 2003

SiliconRepublic: Ireland second last in Europe for broadband. But I think regular readers will know that ;) 'Ireland's already shaky claim to the title European digital hub was looking even more risible than usual today, following the latest internet penetration survey, which shows us to be languishing in second last place out of 16 European countries in terms of broadband internet penetration. '

The usual story -- with quotes from IO's Dave Long -- and that's not surprising. I should imagine things will improve a lot this year, now that the ComReg seems a little more on the job, and eircom have halved their prices.

But the really interesting thing is this: 'Among the survey's other findings were that 7.5pc (12 million) of all European households now subscribed to a broadband internet service. 6.3 million customers signed up for broadband for the first time in 2002 -- an increase of 55pc over 2001. ... It further predicted that a further 7.2 million European homes will acquire broadband for the first time this year, bringing the total to 19.1 million or 11.9pc of total households.'

That's excellent news, and wipes out the FUD put about by some telcos (guess which ones) that there just isn't demand in the current market. Clearly there is strong demand throughout the rest of Europe -- and there really isn't much difference between there and here. In fact, if anything, I reckon there would be more demand here, based on the take-up of other high-tech accessories like mobile phones and games consoles.

Latency and DSL

Published January 30, 2003

'It's the Latency, Stupid!', a fantastic article explaining why latency is sometimes more important than simple bandwidth.

This was found via Karl Jeacle's comments on eircom's DSL, which are very illuminating in themselves -- although probably not too interesting for non-Irish folks ;). But the relevant part is the explanation of why they enabled interleaving on eircom's DSL network (summary: to get more reach, as far as I can see).

TWiki

Published January 30, 2003

Interesting story of how Inktomi replicated knowledge across multiple, separated geographical offices, while doing it in an efficient, cross-platform, reliable and accessible way: first of all, they use TWiki, and second, it's set up as a DistributedTWiki.

more Watchcam

Published January 29, 2003

I found a load of snaps from my Casio Watch Camera that I hadn't uploaded yet. I'd uploaded them, but forgot to add them to CVS ;) Here's a nice one -- a ca. 19th century hygrometer made in the Mason family's opticians shop in Essex Bridge, Dublin, found in the museum at Collins Barracks:

The Onion comes through

Published January 29, 2003

U.N. Orders Wonka To Submit To Chocolate Factory Inspections:

UNITED NATIONS -- Responding to pressure from the international community, the U.N. ordered enigmatic candy maker William 'Willy' Wonka to submit to chocolate-factory inspections Monday. 'For years, Wonka has hidden the ominous doings of his research and development facility from the outside world,' U.N. Secretary General Kofi Annan said. 'Given the reports of child disappearances, technological advances in glass-elevator transport, and Wonka-run Oompa-Loompa forced-labor camps, the time has come to put an end to three decades of secrecy in the Wonka Empire.'

We Are Made For Higher Timings

Published January 28, 2003

a memorable mistranslation found in a guesthouse at Annapurna Base Camp :

Photo of a memorably-mistranslated poster

Help! I'm being underclocked! ;) Perhaps that explained the shortness of breath and dizziness...

(I did some scanning of the hundreds of photos from last year's trip about a month ago, but haven't had a chance to fix 'em all up yet. And I'm not uploading anything until I get to CA and some decent bandwidth.)

Monkey sense (fwd)

Published January 28, 2003

A funny letter from New Scientist regarding the use of monkeys to collect specimens in the field, which was pioneered by John Corner in Singapore.

The botanist noticed that local fruit-pickers trained monkeys to collect fruit, and reasoned that a monkey could similarly be trained to collect flowers, leaves and nuts for his own work. The result was the collection of hundreds of otherwise inaccessible specimens -- and this gem:

Travelling with mule and monkey on a narrow path in the uplands, he spied a new and unrecognised flower on a liana hanging from the path, down a near-vertical cliff face too steep for him to climb down. So he instructed the monkey to descend and collect the flower. But the monkey just looked at him questioningly with its head on one side.

'Go down!' repeated the eminent botanist. At which the monkey gave an eloquent shrug, took hold of the liana and pulled it up hand over hand to collect the flower. No human being, said Corner, had ever, before or since, made him feel so much of a fool.

Bank of America ATMs are net-connected!

Published January 26, 2003

Boing Boing notes that the SQL Slammer worm 'caused service outages at tens of thousands of Bank of America ATMs and wreaked havoc at Continental Airlines. Apparently, customers at most of the #3 American bank's 13,000 automatic teller machines were unable to process transactions for a period of time.'

Does anyone else find it very scary to contemplate an ATM network connected to the internet, with a sufficiently open set of firewalls that a semi-documented Microsoftish SQL protocol can traverse as far as the ATM servers? Sure, it probably took a few hops, compromising a couple of SQL servers along the way, but each of the firewalls in question must have had that MS-SQL port open for those servers. Yikes.

Someone should teach those guys about network compartmentalization for security; something like an ATM network, where security is hugely essential, should never have a direct IP-based connection to the internet, no matter how many firewalls and gateways are in place.

Spam: NACS: Spam Detection. Great, Catherine's new email system at UCI uses SpamAssassin. Nothing like getting bug reports from your SO ;)

On the other side, though, they've written an excellent set of pages on how to detect and act on the SpamAssassin markup in various MUAs.

deny udp any any eq 1434

Published January 25, 2003

it looks like the the latest internet worm is making the rounds, and this one's a biggie. It's been dubbed 'SQLSlammer', since it hammers on the Microsoft SQL ports, attempting to exploit yet another commonly-unpatched 7-month-old MS vulnerability. The best bit: it uses UDP broadcasts to do this, so the traffic load is massive compared to previous worms, so there's lots and lots of backbone hosage as a result. Coverage:

Quick fix: update those router filters to deny all traffic, both UDP and TCP, on port 1434. (you shouldn't need to update the firewall filters of course, because nobody's stupid enough to allow access to open-internet MS SQL traffic, right? ;)

Kim Jong Il, Giant Robot

Published January 24, 2003

Kim Jong Il Unfolds Into Giant Robot (Onion). Met up with Paddy Benson last night for a few drinks, and he let me into the secret that The Onion is, once again, officially funny:

'If we add Kim Jong Il's transformation into a giant robot to his already defiant isolationist stance and his country's known nuclear capability, the diplomatic terrain definitely becomes more rocky,' U.S. envoy James Kelly said. 'Kim has made it clear that, if sufficiently threatened, he will not hesitate to use nuclear weapons or his arm-mounted HyperBazooka.'

'We are also forced to consider the possibility that Kim may attempt to robo-meld with other members of the Axis of Evil, forming a MegaMecha-Optima-Robosoldier. Kim would make a powerful right arm -- or even a torso -- for such a mechanism.'

Wotcher Paddy!

Matt Blaze vs master keys

Published January 23, 2003

Matt Blaze has posted a very neat exploit against 'weaknesses in most master-keyed lock systems, such as those used by offices, schools, and businesses as well as by some residential facilities (particularly apartment complexes, dormitories, and condominiums). These weaknesses allow anyone with access to the key to a single lock to create easily the master key that opens every lock in the entire system. Creating such a key requires no special skill, leaves behind no evidence, and does not require engaging in recognizably suspicious behavior. The only materials required are a metal file and a small number of blank keys, which are often easy to obtain.'

'The vulnerability was discovered by applying the techniques of cryptanalysis, ordinarily used to break secret codes, to the analysis of mechanical lock design.'

Paper here.

Tardis-noise inventor dies

Published January 21, 2003

Daphne Oram, one of the pioneers of electronic music, has died. (BBC)

Almost un-noticed by the wider world, one of the pioneers of electronic music has died. Without Daphne Oram, we may never had known what the Tardis sounded like. Electronic music - as much a part of today's life as whistling a tune to yourself - grew up amid milk bottles, gravel, keys, and yards of magnetic tape and wires. These were the sort of tools typically scattered around the BBC's Radiophonic Workshop in the 1950s and 60s, when they were used to generate wonderful and ethereal sounds for the airwaves. The mother of this great legacy was Daphne Oram. Aged 18, and armed with a passionate interest in sound, music and electronics, she started work at the BBC in 1943 as a sound engineer.

Lotsa SpamConf linkage and commentary

Published January 21, 2003

Another good trip report, from 'babbage' at perl.org.

  • Again, and interestingly, quite a few folks agreed with one of SA's core tenets; no single approach (stats, RBLs, rules, distributed hashes) can filter effectively on its own, as spammers will soon figure out a way to subvert that technique. However, if you combine several techniques, they cannot all be subverted at once, so your effectiveness in the face of active attacks is much better.

  • Also interesting to note how everyone working with learning-based approaches commented on how hard it was to persuade 'normal people' to keep a corpus. Let's hope SA's auto-training will work well enough to avoid that problem.

  • in passing -- babbage noted the old canard about Hotmail selling their user database to spammers. That must really piss the Hotmail folks off ;) I think it's much more likely that, with Moore's Law and the modern internet, a dictionary attack *will* find your account eventually.

  • Good tip on the legal angle from John Praed of The Internet Law Group: if a spam misuses the name of a trademarked product like 'Viagra', get a copy to Pfizer pronto. Trademark holders have a particular desire to follow up on infringements like this, as an undefended trademark loses its TM status otherwise.

  • David Berlind, ZDNet executive editor: 'They don't want to be involved (in developing an SMTPng)'. He might say that, but I bet their folks working on sending out their bulk-mailed email newsletters might disagree ;). Legit bulk mail senders have to be involved for it to work, and they will want to be involved, too.

  • Brightmail have a patent on spam honeypots? Must take a look for this sometime.

  • the plural of 'corpus' is 'corpora' ;)

Great report, overall.

It's interesting to see that Infoworld notes that reps from AOL, Yahoo! and MS were all present.

Since the conf, Paul Graham has a new paper up about 'Better Bayesian Filtering', and lists some new tokenization techniques he's using:

  • keep dollar signs, exclamation and most punctuation intact (we do that!)

  • prepend header names to header-mined tokens (us too!)

  • case is preserved (ditto!)

  • keep 'degenerate' tokens; 'Subject:FREE!!!' degenerates to 'Subject:free', to 'FREE!!!', and 'free'. (ditto! well, partly. We use degeneration of tokens, but we keep the degenerate tokens in a separate, prefixed namespace from the non-degenerate ones, as he contemplates in footnote 7. It's worth noting that case-sensitivity didn't work well compared to the database bloat it produced; each token needs to be duplicated into the case-insensitive namespace, but that doubled the database size, and the hit-rate didn't go up nearly enough to make it worthwhile.)

Most of these were also discovered and verified experimentally by SpamBayes, too, BTW.

When we were working on SpamAssassin's Bayesian-ish implementation, we took a scientific approach, and used suggestions from the SpamBayes folks and from the SpamAssassin community on tokenizer and stats-combining techniques. We then tested these experimentally on a test corpus, and posted the results. In almost all cases, our results matched up with the SpamBayes folks' results, which is very nice, in a scientific sense.

(PS: update on the Fly UI story -- 'apis' is not French, it's Latin. oops! Thanks Craig...)

Trip Report from the SpamConf

Published January 20, 2003

Kaitlin Duck Sherwood writes a trip report. Good tidbits:

  • many big players in the mail-sending side want to see an SMTPng; a new protocol which is spam-resistant.

  • Jon Praed of the Internet Law Group said that 'better spam filters make his job easier: the more contortions that a spammer goes through to make sure that the messages go through, the easier it is to convince a judge that the spammer knew it was wrong.' Excellent!

Toilet Flies

Published January 20, 2003

Andrew McGlinchey writes about a Fly UI: 'I have seen one of the finest instances of user interface design ever, and I saw it in the men's room at Schipol airport in Amsterdam. In each of the urinals, there is a little printed blue fly. It looks a lot like a real fly, but it's definitely iconic - you're not supposed to believe it's a real fly. It's printed near the drain, and slightly to the left.'

I've heard of this one before, and yes, it is an aiming-improvement UI. It started in France around the turn of the century, if I recall correctly. One important fact: it's not a fly -- it's a bee. You see, it's also a visual pun -- the french for 'bee' is 'apis', geddit?

(I'd have commented on the blog, itself, but it's one of those 'create an account to comment' places -- too much trouble!)

He's also spot-on about why tea is big in Ireland: 'The climate is cool, grey and damp. Steady doses of warm drink with a nice gentle caffeine push really keeps you going.' Hey, works in the Himalayas too ;)

UL alert: ‘out-of-office’ autoreplies help burglars

Published January 15, 2003

BoingBoing, back in December, forwarded this snippet: 'A report issued by UK-based Infrastructure Forum ('TIF') says spam-savvy thieves are using info from 'out of office' email autoresponders and cross-referencing it with publicly available personal data to target empty homes.'

Criminals are buying huge lists of email addresses over the internet and sending mass-mailings in the hope of receiving 'out of office' auto-responses from workers away on holiday.

By cross-reference such replies with publicly available information from online directories such as 192.com or bt.com, the burglars can often discover the name, address and telephone number of the person on holiday. Tif is advising users to warn their staff to be careful of the information they put in their 'out of office' messages.

"You wouldn't go on holiday with a note pinned to your door saying who you were, how long you were away for and when you were coming back, so why would you put this in an email?" said David Roberts, chief executive at Tif. (via VNUNet)

My take on this? Bullshit.

I mean, how many house burglars (a) have the know-how to set up a fast internet connection, get hold of an addresses CD, and send a spam; and then (b) how often does a Reply-To address on a spam stay active once it's sent -- assuming it ever worked in the first place -- before the ISP whacks their account? I would guess 6 hours at the most, and most spam runs wouldn't even be halfway through by that stage (from what I hear).

Self-promoting bullshit of the highest order I reckon.

Six Degrees Tested

Published January 14, 2003

Steppe by Step (Guardian). "I started wondering if (the 'six degrees of separation' theory) was true today. ... So 35 years on from the original experiment, I decided to test out the urban myth on a world stage: how many steps would it really take to get to someone on the other side of the planet?"

The London-based "city girl" author, Lucy Leveugle, makes it in 9 steps (hey, the world has expanded!) to Purev-Ochir Gungaa, a nomadic herdsman in the middle of the steppes of Outer Mongolia. Amazing.

wierd referrers

Published January 13, 2003

308 referrer hits from www.xxxstoryarchive.com, 282 from amateur-porn.us, 282 from nude-lesbians.us, etc. Somehow I doubt it. All the hits are 404s, looking for e.g.

nn.nn.nn.nn - - [12/Jan/2003:18:52:13 +0000] GET /pics54754-96 HTTP/1.1 404 284 http://www.celebrity-nude-pics.com/ "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"

Hits from hosts at AT&T WorldNet Services and an SBC PPPoX pool. They're all MSIE 6 on Windows, and it's been going on for a month or so.

Theory: sounds like MSIE's download-to-'view'-offline functionality has bugs; when it hits a 404, maybe it requeues that request but then sends it to entirely the wrong IP.

Alternative theory: it's a pathetically underpowered DDoS. ouch!

Anyone else seen this?

Still Moving

Published January 13, 2003

Who knew relocating with a cat could be so tricky? Well, actually, I did. He hates travel. I'm considering just putting him in a crate and handing him off to a courier to do it.

Paul Graham's Spam Conference seems to be doing great; they've moved to a bigger room, and are expecting 480 (!!) attendees.

I still can't make it due to all this movage, but thankfully there's a few SpamAssassin folks going, so we'll still be able to snarf some good tricks with any luck.

In other news, the public mass-check submission run for SpamAssassin 2.50 is about to start; with the new with-bayes and with-net-tests dimensions in the matrix, it's going to be the biggest run yet. Should be fun.

The good news

Published January 10, 2003

Frequent drinking cuts heart attack risk (New Scientist). ' Half an alcoholic drink every other day, be it wine, whisky or beer, can reduce the risk of heart attacks by a third, a new study shows. The 12-year study published in The New England Journal of Medicine found that the frequency of drinking was the key to lowering the risk of heart disease, rather than the amount, the type of alcohol, or whether or not it was drunk with food.'

minor bloglet

Published January 4, 2003

New Scientist: Turing tests filter spam email. "Simple tests designed to distinguish computers from humans are increasingly being used to clamp down on unsolicited, or 'spam', email advertising."

The article notes that Yahoo! has imposed such a test to block automated account-signup-then-spam bots. (Thankfully -- that might discourage some of the more automated 419 spammers.)

Sorry 'bout the lack of blogging -- very busy 'round here, what with a new SpamAssassin release in the pipeline and a move to the US in the offing...

1 January 1659/60 (Lord’s Day)

Published December 27, 2002

Samuel Pepys has a weblog:

This morning (we living lately in the garret,) I rose, put on my suit with great skirts, having not lately worn any other, clothes but them. Went to Mr. Gunning's chapel at Exeter House, where he made a very good sermon.

Anyway, still recovering from the holidays. Hope you all had a good one..

EU DMCA fails – for now

Published December 23, 2002

Yahoo!: Deadline Passes for European Digital Copyright Law. 'A deadline for adopting a new EU law on copyright protection has passed with just two member countries signing up, dealing a blow to media and software companies beset by unauthorized duplication of their works across the Internet.' The two countries are Greece and Denmark, which is odd, considering I thought Ireland had do so too.

Other actors in the private sector, such as Internet service providers, have weighed in heavily on the issue, opposing laws that could ultimately hurt consumer rights.

Yay ISPs!

Ireland wins the Nationalist Song Competition

Published December 22, 2002

BBC: An Irish republican song, A Nation Once Again, has been voted the world's top tune according to a BBC World Service poll. 'Following a late surge in votes, the Irish sing along crossed the finishing line ahead of a patriotic Hindi song, Vande Mataram.'

'The poll had to deal with people trying to influence the vote through fan sites and spamming.' No shit. The funniest thing about this poll was the way it suddenly stopped being about 'the world's top 10 tunes' and suddenly became 'how many 'net users can each country mobilize to vote for a patriotic song'.

Still, I'm impressed the clicky fingers of the Irish net population (pop. 6 million) managed to beat those of India (pop. 1 billion)!

anti-drug propaganda slips up

Published December 20, 2002

Guardian: DrugScope, the drug charity, says that an 'intensive media campaign against the drug ecstasy has led to an increase in cocaine use among young people'. whoops.

'Studies show the reason they no longer use ecstasy is because of the scare stories,' said a spokesman for the charity. 'They haven't seen similar stories about cocaine and their belief is that cocaine is the safer drug. The reality is that cocaine, especially crack cocaine, is a much more harmful drug - it kills more people each year and more people have dependency on it.'

They also add a few UL-busting facts:

DrugScope's guide argues that there are no recorded examples of heroin ever being cut with ground glass ... no drug is instantly addictive and that addiction generally takes several months to develop ... physical withdrawal from heroin is like a bad bout of flu, not a near-death experience.

Aaron’s networking

Published December 20, 2002

Aaron's trip to CA comes to a end in a big bang of serious meeting-up.

I read his blog using the rss2mail mail-based news aggregator he wrote (I live in e-mail, especially while I'm still on the wrong side of dialup), and I think this is the most homepage-link-laden blog entry I've ever read. 45 links, count 'em! Wow, I hope he can keep all those name-to-face mappings clear ;)

In other news: it seems that football (proper football, played with feet, ie. soccer) is bad for you: the World Cup penalty shoot-out caused a surge in heart attacks for England fans (New Scientist). Ban Football Now!

Son of Star Wars leaves drivers stranded

Published December 19, 2002

Son of Star Wars leaves drivers stranded (Guardian). Interesting collision between military and civvie radio technology.

The upgrading of the security and surveillance systems at (RAF Fylingdales base in Yorkshire, which is planned to be used as a UK base for new US 'Star Wars' projects) ... is knocking out the electrical systems of expensive cars. ... High power radar pulses trigger the immobilising devices of many makes of cars and motorcycles - BMW, Mercedes and Jeep among them. Many have had to be towed out of range of the base before they can be restarted.

Wing Commander Chris Knapman, of RAF Fylingdales, said it was not up to the base to resolve the problem. 'We have had the frequencies we use for a very long time,' he said. 'They are allocated to commercial, military and government users, and the allocation is very tightly controlled. As far as we are concerned, the radars are working on frequencies which are well known, and most car manufacturers take that into account.'

A spokesman for Jeep said: 'The problem is that the government gives manufacturers such a narrow band to operate in - so the radio wave (sic) we use for our key fob is severely restricted.'

Lamest patent prior-art search ever?

Published December 18, 2002

AOL patents instant messaging (/.). 'Specifically, any technology that provides 'a network that allows multiple users to see when other users are present and then to communicate with them' is covered.'

The CNet story which /. references points out that the patent was filed in 1997 -- but that's still 6 years after I wrote a similar perl script on the Maths Department UNIX machines in TCD. There's a myriad of similar apps, of the same vintage, too.

The thing I find amazing is this, however -- the AOL patent actually cites prior art in its References section, namely the xhtalk README file, dated 1992. There's nothing different between xhtalk and AOL Instant Messenger apart from the protocol and the look and feel, and those aren't key to the patent.

The US patent office really needs to start reading the patent applications before granting them.

Who 0wnz your government?

Published December 11, 2002

Danny reports "the always excellent c't magazine analyses the hypotheticals of the Dutch IP-surveillance scandal:

According to anonymous sources within the Dutch intelligence community, all tapping equipment of the Dutch intelligence services and half the tapping equipment of the national police force, is insecure and is leaking information to Israel. ..."

Yikes. You'd think they'd have learnt from Ireland's mistakes.... this article (update: moved to here) reports that massive back-door use by a third-party government occurred before in similar circumstances, during the Anglo-Irish negotiations of 1985.

For those of you who don't know, these discussions were between the Republic of Ireland and the UK, and took place in London.

In order to allow the negotiating team to contact their government and civil service securely, a million-pound cryptographic system had been bought in order to secure the link between the Irish Embassy in London and the government in Dublin.

Unfortunately, this equipment was thoroughly compromised.

It turns out that the Swiss company from which the equipment was bought, namely Crypto AG, had cooperated with the NSA and the BND (the NSA's German equivalent), to allow them to decipher the traffic trivially. (Judging from the snippet from another article below, sounds like this was done using a known-plaintext attack).

The NSA routinely monitored and deciphered the Irish diplomatic messages. All it took then was for the UK's NSA equivalent, GCHQ, to pull some strings, and the UK government had a distinct advantage in the negotiations from then on.

Another source for details on Crypto AG's breakage is Der Spiegel, issue 36/96, pages 206-207. Here's some snippets:

The secret man (sic) have obviously a great interest to direct the trading of encryption devices into ordered tracks. ... A former employee of Crypto AG reported that he had to coordinate his developments with "people from Bad Godesberg". This was the residence of the "central office for encryption affairs" of the BND, and the service instructed Crypto AG what algorithms to use to create the codes.

Members of the American secret service National Security Agency (NSA) also visited the Crypto AG often. The memorandum of the secret workshop of the Crypto AG in August 1975 on the occasion of the demonstration of a new prototype of an encryption device mentions as a participant the cryptographer of the NSA, Nora Mackebee. ...

Depending on the projected usage area the manipulation on the cryptographic devices were more or less subtle, said Polzer. Some buyers only got simplified code technology according to the motto "for these customers that is sufficient, they don't not need such a good stuff."

In more delicate cases the specialists reached deeper into the cryptographic trick box: The machines prepared in this way enriched the encrypted text with "auxiliary informations" that allowed all who knew this addition to reconstruct the original key. The result was the same: What looked like inpenetrateable secret code to the users of the Crypto-machines, who acted in good faith, was readable with not more than a finger exercise for the informed listener.

Full text here.

So what's the bottom line? Use GPG! ;)

From: Julian Assange (spam-protected)

To: (spam-protected) (spam-protected)
Date: Mon, 14 Oct 1996 13:24:31 +1000 (EST)

Approved: (spam-protected)

Subject: BoS: Crypto AG = Crypto NSA/BNG ?

Thanks to Anonymous for this English translation of the German original.

secret services undermine cryptographic devices

Archive of "DER SPIEGEL" issue 36/96 pages 206-207

"Who is the authorized fourth"

Secret services undermine the protection of cryptographic devices.

Switzerland is a discreet place. Uncounted millions of illegal money find an asylum in the discreet banks of the republic. Here another business can prosper, which does not need any publicity: the production of cryptographic devices.

A top address for tools of secrecy was for several decades the company Crypto AG in Zug. It was founded in 1952 by the legendary Swedish cryptographer Boris Hagelin. Hundreds of thousands of his "Hagelin-machines", pendants of the German "Enigma" devices, were used in World War II on the side of the Allies.

A prospectus of the company states: "In the meantime, the Crypto AG has built up long standing cooperative relations with customers in 130 countries." Crypto AG delivers enciphering devices applicable to voice as well as data networks.

But behind this solid facade the most impudent secret service feint of the century has been staged: German and American services are under suspicion of manipulation of the cryptographic devices of Crypto AG in a way that makes the codes crackable within a very short time, and this allegedly happened until the end of the eighties.

Customers of Crypto AG are many honorable institutions, like the Vatican, as well as countries like Iraq, Iran, Libya, that are at the top of the priority list of U.S. services. At the beginning of the nineties the discreet company was suspected to play an unfair game. What was the source of the "direct precise and undeniable proofs" U.S. president Reagan referred to when he ordered the bombardment of Libya, the country he called the wire puller of the attack against the disco La Belle? Obviously the U.S services were able to read encrypted radio transmissions between Tripoli and its embassy in East Berlin.

Hans Buehler, a sales engineer of Crypto AG, got between the fronts of the secret service war. On March 18, 1992, the unsuspecting tradesman was arrested in Teheran. During the nine and a half months of solitary confinement in a military prison he had to answer over and over again, to whom he leaked the codes of Teheran and the keys of Libya.

In the end Crypto AG paid generously the requested bail of about one million German marks (DM), but dismissed the released Buehler a few weeks later. The reason: Buehlers publicity, "especially during and after his return" was harmful for the company. But Buehler started to ask inconvenient questions and got surprising answers.

Already the ownership of the Crypto AG was diffuse. A "foundation", established by Hagelin, provides according to the company "the best preconditions for the independence of the company".

But a big part of the shares are owned by German owners in changing constellations. Eugen Freiberger, who is the head of the managing board in 1982 and resides in Munich, owns all but 6 of the 6,000 shares of Crypto AG. Josef Bauer, who was elected into managing board in 1970, now states that he, as an authorized tax agent of the Muenchner Treuhandgesellschaft KPMG [Munich trust company], worked due to a "mandate of the Siemens AG". When the Crypto AG could no longer escape the news headlines, an insider said, the German shareholders parted with the high-explosive share.

Some of the changing managers of Crypto AG did work for Siemens before. Rumors, saying that the German secret service BND was hiding behind this engagement, were strongly denied by Crypto AG.

But on the other hand it appeared like the German service had an suspiciously great interest in the prosperity of the Swiss company. In October 1970 a secret meeting of the BND discussed, "how the Swiss company Graettner could be guided nearer to the Crypto AG or could even be incorporated with the Crypto AG." Additionally the service considered, how "the Swedish company Ericsson could be influenced through Siemens to terminate its own cryptographic business."

The secret man have obviously a great interest to direct the trading of encryption devices into ordered tracks. Ernst Polzer*, a former employee of Crypto AG, reported that he had to coordinate his developments with "people from Bad Godesberg". This was the residence of the "central office for encryption affairs" of the BND, and the service instructed Crypto AG what algorithms to use to create the codes. (* name changed by the editor)

Members of the American secret service National Security Agency (NSA) also visited the Crypto AG often. The memorandum of the secret workshop of the Crypto AG in August 1975 on the occasion of the demonstration of a new prototype of an encryption device mentions as a participant the cryptographer of the NSA, Nora Mackebee.

Bob Newman, an engineer of the chip producer Motorola, which cooperated with Crypto AG in the seventies to develop a new generation of electronic encryption machines, knows Mackebee. She was introduced to him as a "counselor".

"The people knew Zug very good and gave travel tips to the Motorola people for the visit at Crypto AG", Newman reported. Polzer also remembers the American "watcher", who strongly demanded the use of certain encryption methods.

Depending on the projected usage area the manipulation on the cryptographic devices were more or less subtle, said Polzer. Some buyers only got simplified code technology according to the motto "for these customers that is sufficient, they don't not need such a good stuff."

In more delicate cases the specialists reached deeper into the cryptographic trick box: The machines prepared in this way enriched the encrypted text with "auxiliary informations" that allowed all who knew this addition to reconstruct the original key. The result was the same: What looked like inpenetrateable secret code to the users of the
Crypto-machines, who acted in good faith, was readable with not more than a finger exercise for the informed listener.

The Crypto AG called such reports "old hearsay" and "pure invention". But the process, that was started by the company against the former employee Buehler, on the grounds that he had said that there might be some truth in the suspicions of the Iranian investigators, surprisingly ended in November of last year.

After the trial, that could have brought embarrassing details to the light, the company agreed to an settlement outside the court. Since that time Buehler is very silent with regard to this case. "He made his fortune financially," presumed an insider of the scene.

"In the industry everybody knows how such affairs will be dealed with," said Polzer, a former colleague of Buehler. "Of course such devices protect against interception by unauthorized third parties, as stated in the prospectus. But the interesting question is: Who is the authorized fourth?"

-- "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience." - C.S. Lewis, _God in the Dock_ +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | (spam-protected) | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | (spam-protected) | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+

Bullshitty keynotes: not as easy as they used to be

Published December 11, 2002

thanks to blogs, wifi and the web, bullshitting a keynote at a conference isn't quite as easy to pull off as it used to be! From Dan Gillmor's keynote at Supernova, via BoingBoing:

At PCForum, Joe Nacchio, the CEO of Qwest was on-stage, doing a Q and A. Joe was whining about how hard it is to run a phone company these days. Dan (Gillmor) blogged, "Joe's whining." A few moments later, he got an email from someone who wasn't at the conference, someone in Florida, with a link to a page that showed that Joe took $300MM out of the company and has another $4MM to go -- gutting the company as he goes.

Esther Dyson described this as the turning point. The mood turned ugly. The room was full of people reading the blog and everyone stopped being willing to cut Joe any slack.

some spam quickies

Published December 10, 2002

I've just found Gary Robinson's blog, which is a bit silly, as boasts the primary source after Paul Graham's'A Plan For Spam' paper for modern Bayesian spamfiltering techniques. I'd only read Gary's page describing the Robinson-combining technique, but he's been doing a good job of blogging the anti-spam world in general recently. Hence, he's made the blogroll ;)

Some choice links from his blog:

First off -- Jon Udell points out why reply-to-whitelist systems are Bad:

The email thread that provoked this message will soon dissolve. Including x@y.com might have been useful, but the moment has passed. If I urgently need to contact x@y.com , I may have to grit my teeth and register to do so. But no ad-hoc communication is going to make it over that activation threshold.

And a different kind of whitelist -- the IronPort Bonded Sender type, from Whitelists: the weapon of choice against spam (ZDNet):

After a one and half months of testing, IronPort identified hundreds of thousands of false-positives. At that rate, the mail generated by IronPort's customers alone, which make up a small percentage of the total amount of e-mail that traverses the Internet, is resulting in over one million false-positives per year.

Hmm. Well, I'm not 100% convinced here -- I did see Amazon.FR, who are apparently Bonded Sender customers, send a promotional mail to a mailing list. I also saw several reports from other places regarding the same mail. How often does a mailing list order goods from an e-commerce site? (But, having said that, that's the only Bonded Sender issue I've seen in about 6 months -- so let's put that down to teething issues, or someone on the list who decided to act up when ordering some goods.)

Spamland.org, a new Wiki for spamfiltering.

Debra Bowen, a California State Senator, is proposing a hardcore new anti-spam bill. "It would bar unsolicited e-mail advertising and allow people who receive it to sue the senders for $500 per transmission. A judge could triple the penalty if he or she decided the violation was intentional. ... 'The ($500) fine's really intended to get a whole generation of computer-savvy folks to help us do the enforcement,' Bowen says. 'Getting rid of spam is never going to be the district attorney's first priority and it shouldn't be."' She notes also that she's "seen estimates that it could grow to 50 percent in the next five years." Too late -- it's already there, as far as I can tell.

FWIW, I like the sound of this -- she's requiring that commercial e-mail senders have an existing verified-opt-in relationship beforehand. Sounds good to me.

And finally, a very interesting set of tests on Robinson-combining strategies. Very interesting, that is, if you're implementing a Bayesian spam filter. Otherwise quite boring. ;)

Cisco file ludicrously lame patent on regexps

Published December 10, 2002

from Slashdot: Cisco patents 'Intrusion detection signature analysis using regular expressions and logical operators'.

That is so, so sad. Filed January 15, 1999. There's got to be a stack of prior art.

A google search throws up this trivial example first off -- the use of snoop | egrep 'PATTERN1|PATTERN2|PATTERN3'. More searching reveals Lance Spitzner's page on Intrusion Detection for Checkpoint FW-1, which looks like it was originally written in 1997. The alert.sh script there uses grep(1) plentifully.

wheel re-invention

Published December 6, 2002

AT&T reinvent the wheel (via New Scientist). "a user could safely sign up for a monthly email newsletter by specifying the source of the newsletter and limiting it to 12 messages over the next year. If the address fell into the hands of spammers, their messages would be blocked by the software before it reached the user's inbox. 'The 'Single Purpose' address system reduces spam by stopping it right before the user sees it,' says John Ioannidis, at AT&T's research laboratory in New Jersey, US. The software is currently at the prototype stage."

In other words, they've re-written TMDA, The Tagged Message Delivery Agent. Nice one.

Toxic darkness

Published December 5, 2002

BBC - the Great Smog of 1952 recalled. "Fifty years ago, a choking cloud enveloped much of London and the Home Counties - a toxic fog which killed at least 4,000 people. Here, Barbara Fewster, 74, recalls the Great Smog of 1952." A very Ballardian tale of this environmental disaster:

After a long time we arrived at Kew Bridge - that's at least 10 miles from Hampstead - when my fiancé called out to me, 'I've lost you, where have you got to?' I must have veered off out of range of the sidelights.

At that point, a milk float passed by and my fiancé told me to get in so we could follow its taillights. He put his foot down. Well, then the milkman disappeared and we could hear the float bouncing over the grass on Kew Green. All I could do was get out of the car and continue walking. We later came across a car that had overtaken us earlier on in the journey - it was up a tree, crashed, and no sign of the occupant.

Spam Never Ends

Published December 3, 2002

'Spam' Likely to Clutter E-Mail for Some Time, says Jupiter Research (via Reuters).

"It's getting easier to send spam messages. You can buy a CD-ROM with millions of e-mail addresses for next to nothing and send it out for next to nothing," said Jared Blank, senior analyst at Jupiter.

"Spammers are clever people and there is clearly an arms race between spammers and people trying to prevent spam that just constantly escalates," said Forrester analyst Jim Nail. "Having simple lists of spammers and domains -- that's not enough because spammers change domains or addresses to stay ahead."

So, good news: I have a job. Bad news: well, I think that side is obvious ;)

The mother of all package tours

Published December 3, 2002

The mother of all package tours: With the world expecting an attack on Iraq any time now, no one in their right mind would take a holiday there - would they? You'd be suprised, says Johann Hari (Guardian).

A fascinating article, from so many angles -- First, the tourists:

I met Julie and Phil. They seemed an almost comically suburban couple: polite, a little posh, all golf jumpers and floral smocks. But then Phil mentioned that his last holiday had been to North Korea. "Yeah, I've been twice since they opened the borders to tourists. I'm a bit of a celebrity there now. People come up to me in the streets and say, 'Why have you come to our country twice?'." ...

Then there was Hannah. How to explain her? A frightfully well-spoken Englishwoman in her early 50s. When we first met, she dispensed with the small talk to say: "I think Saddam is a great man and the USA is a great big global bully. My theory is that he should be given Kuwait. It's perfectly logical if you look at the map." "I think he's rather handsome too," she went on. "Every woman does really. I'd rather like to inspect his weapon of mass destruction myself."

And the politics:

Talking politics in Iraq is like a magic-eye picture, where you have to let your brain go out of focus, not your eyes. One very distinguished old man in a Mosul souk welcomed me warmly and told me how much he had loved visiting London in the 1970s. After much oblique prodding, he said warmly, "I admire British democracy and freedom." He held my gaze. "I very much admire them."

... As we wandered around, looking at the grim exhibits, one of the soldiers on duty guarding the museum told me that three of his brothers died in that war. Everybody in the country lost somebody - yet it is almost impossible to get anybody to talk about it. They speak in a small number of bloodless stock-phrases.

After more than 10 such encounters, it suddenly hit me that the people of Iraq are not even allowed to grieve their huge numbers of dead in their own way. They are permitted only a regulation measure of state-approved grief, which must be expressed in Saddam's language: that of martyrdom and heroism, rather than wailing agony about the futility of a war which slaughtered more than a million people yet left the borders unchanged and achieved nothing.

Thanks to Ben Walsh for the forwardy goodness.

FROM: BRUNCE IN UK

Published December 3, 2002

"I am Mr Brunce Anthony, the bill exchange director at the NATIONAL WESTMINSTER BANK PLC." Yes, it's a 419 from that well-known third-world country, the UK.

(PS: Brunce?! what kind of name is that?! Everyone knows only Americans have that kind of ludicrous given name ;)

Date: Wed, 13 Nov 2002 10:40:51 +0100
From: "Brunce Anthony" (spam-protected)
To: (spam-protected)
Subject: FROM: BRUNCE IN UK

Dear Sir,

I am Mr Brunce Anthony, the bill exchange director at the NATIONAL WESTMINSTER BANK PLC, 135 BISHOPSGATE LONDON EC2M 3UR.

I am writing this letter to solicit for support and assistance from you to carry out this business opportunity in my department. Lying in an inactive account is the sum of 

Thirty Million United States Dollars($30,000,000.00)belonging

to a foreign customer(Stanley Heard),the former President(Bill Clinton's personal physician) and Chairman of the National Chiropractic Health Care Advisory Committee who happens to be deceased.

He died with his wife and two children in a plane crash on Board a small airplane that plunged into a river. Ever since he died the Bank has been expecting his next of kin to come and claim these funds.

To this effect, we cannot release the money unless some one applies for it as the next of kin, as indicated in our Banking Guideline. Unfortunately he has no family member here in the UK or America who are aware of the existence of the money as he was he was a contract physician to the Chairman of Royal Bank of Scotland.

At this juncture I have decided to do business with you in colloboration with 

officials that matter in the Bank, to this effect we solicit your assistance,

in applying as the next of kin, then the money will be proccesed and released to you, as we do not want this money to go into the Bank, Treasury as an unclaimed bill.

The Banking law and guideline stipulate that if such money remains unclaimed for a period of Five years the money will be transfered into the Bank s' Treasury as unclaimed bill. Our request for a Foreigner as a next of kin is occassioned by the fact that the customer was a Foreigner and a British cannot stand as next of kin.

Sir, 15% of the money will be your share as a Foreign partner, while 5% will be for any expenses incured during the transaction, thereafter we would visit your country once the money hits your account for disbursement and investment.

Please reach me at the above email or fax if willing to do business with us.

Best regards,

Mr. Brunce Anthony

Sunday Times vs. spam

Published December 2, 2002

Danny O'Brien: Help stop the flood of spam, in the Sunday Times. Great article:

We have had enough of the filth pouring into our mailboxes. Danny O?Brien launches a Doors campaign to clean up e-mail and puts forward a six-point plan involving government, industry and you the reader

DOORS SIX-POINT ACTION PLAN

SOFTWARE MAKERS must improve antispam software, and fast. Filtering spam is good, but only masks the problem. Spam-spotting software must report what and who it has found back to the ISPs, so they can block further spams.

Interesting!