Month: September 2005

“Shockingly risky storage behavior”

From a new article in Windows IT Pro.

After a summer filled with tales of data theft, natural disasters, and executives going to jail in part because of email messages they wrote, you’d think IT pros who oversee storage matters in their organizations would be totally focused on mitigating the real risks they and their companies face. But a series of research reports from the UK and Germany indicate otherwise. In fact, according to these studies, many companies haven’t yet implemented adequate business continuity plans, have failed to address email-compliance issues, and are ignoring the danger posed by widespread use of USB memory sticks. Disasters, compliance, and data theft are known risks. Yet many companies apparently still like to pretend they don’t exist.

Link here.

Alex Eckelberry

Orion Holtby

David Eastbrook at Hurricane Digital Media now has a blog dedicated to Orion Holtby.   I got this link from a post at Vitalsecurity.

(For those of you unfamiliar with Orion, it’s a long tale of a man alleged to be a fraudster in the online advertising community.  Wayne Porter at revenews has covered the tale extensively.)

From David Eastbrook’s blog:

Our mission is simple when it comes to fighting this crap. It is based on three principles:

  1. Naturally,self-interest – he stole $54,000 from us. Big mistake.

“Never forget, never forgive,
never let go.”

Screw us over, and we will hound your ass relentlessly.

  1. Prevent it from happening again. You won’t even be tempted.

“Slap me in the head, and I’ll
break your jaw.”

You sure won’t slap me in the head again without thinking it
over very carefully. I learned that playing hockey for many years against a lot of very unsportsmanlike fellows.

  1. Be
    prepared, willing, and ready to fight for yourself.

“Vengeance is mine. Period.”

Alex Eckelberry

 

The threat of Mobile viruses grossly exaggerated

Good for Sophos.

We’ve been noting some of the overhyped stories of mobile viruses lately — all spread by one anti-virus firm or another trying to convince people that there’s really a problem where none yet exists. There was another such hyped up story yesterday, but they’re getting so common it didn’t even register much interest. However, today, another anti-virus firm, Sophos, is taking a stand and claiming that they’re sick of all of their competitors hyping up mobile viruses that aren’t a real threat. In fact, they say that yesterday’s claim of the first “serious” mobile virus threat is “plain bonkers.”…

Link here.

Alex Eckelberry

Taming the Transportation Security Administration

Blog link here.

From EPIC: “The Transportation Security Administration has abandoned plans to use information from data aggregators to check airline passengers’ backgrounds. TSA made the decision shortly before a working group issued a scathing report (19 pages, PDF) on the program. Last year, an EPIC FOIA request revealed (4 pages, PDF) that Axciom proposed to water down federal privacy laws so that it could sell data to the government for traveler screening. For more information, see EPIC’s Secure Flight page.”

Alex Eckelberry

New blog on the Real ID act of 2005

Those of you who follow this blog know that I’m extremely concerned about the privacy implications of the Real ID act.

MIT now has a blog on the subject.

Many people and organizations have sharply criticized the “national ID” aspects of the REAL ID Act. Even before REAL ID, the National Academy of Sciences recognized that a system of national ID not only poses a “wide range of technological and logistical challenges,” but has “serious potential for infringing on the rights and freedoms of ordinary citizens.”

Link here via BeSpacific.

Alex Eckelberry

 

 

 

Hurricane Rita scams

CNET rightfully warns of impending Rita frauds.

So far, I haven’t seen any scams.  But I have seen hurricanerita.com, which is apparently owned by the people that make the Eldervalve:

It’s not a hurricane scam.  Apparently these effluent-minded people have gone ahead and registered ALL the named storms until 2009.

Alex
(Btw — this ElderValve thing actually looks rather interesting).

UPDATE:  The site has apparently been sold to the State of Texas, which is why the links in this blog are such a mess. 

Curious about the ElderValve (since the above graphic is busted)?   

Link here.

 

Community reaction to WhenU’s writeup

Earlier, I mentioned that Bill Day, CEO of WhenU, has written about how adware companies must behave.  

Alex Morganis froths vituperatively. To wit:

“Bill Day, the CEO of WhenU, wrote up this piece of crap on ethics of adware. I know Bill, you have been doing a good job trying to clean up WhenU’s image, but really: Nothing will stop people from saying your business sucks; It does.” 

Oh dear.

ZDNet, on the other hand,  is encouraged:

“…other adware companies would do well to adopt WhenU’s philosophy and emulate some of their practices.”

Master spyware samurai PaperGhost is also encouraged, noting that he’s never actually even seen a stealth WhenU installation:

“It’s almost like taking your distribution in house solves 90% of the problems that people scream about so much (myself included)….Woo-woo! Here comes the clue-train! Next stop, Cluesville! Perhaps some of WhenU’s competitors would like to purchase a ticket..” 

Paretologic’s Sascha reasons dryly — and even goes the extra step of using literary analogs from Dickens and Conrad in his analysis:  

“My overall opinion of his essay is that it doesn’t say a whole hell of a lot, but what’s said is quite pleasant. Continuing the literary analogy, it’s the difference between Dickens and Conrad. With Dickens, you get a lot of words without much behind them — a great story leading into a good sleep, maybe. With Conrad, you’ve got economical language backed up by themes of race discrimination, the “white man’s burden,” colonialism, innate human savagery, all wrapped up in a mindbending frame narrative. “David Copperfield” is about 358 thousand words. “Heart of Darkness” is slightly longer than the printed directions on a can of ravioli. They’re both great books.”

(Well, any blogger who refers to Conrad – an author I admittedly worship – immediately gets extra props from me.)

And to all this, I’m left with no choice but to close this wandering blog entry with the Conrad quote: “All ambitions are lawful except those which climb upward on the miseries or credulities of mankind.” —Joseph Conrad

Alex Eckelberry
(Note: Some think that my Conrad quote was meant to be critical of WhenU.  It wasn’t meant that way at all. It was merely an implication of the real problems out there — the really bad guys who deserve the real vituperative froth)

 

AskJeeves to dump the butler

(There are so many stupid puns available for the asking, so out of respect for my above-average-intelligence audience, I will refrain.)

John Paczkowski  of Good Morning Silicon Valley has this to say about AskJeeves:

Jeeves, the P.G. Wodehouse character that’s been the cornerstone of Ask Jeeves’ brand for the past nine years, is out of a job. Speaking at a Goldman Sachs Group investor conference yesterday in New York, Barry Diller, Chairman and CEO of Ask Jeeves’ new owner IAC, said the affable butler’s days at the company are numbered (see “Jeeves! Dammit man, get me my coat and a larger portion of the Internet search market!“). IAC plans to rebrand Ask Jeeves as Ask.com and when it does it will no longer require the services of its longtime mascot. IAC, it seems, feels Jeeves’ butler inhibits how people view its brand (the Jeeves character is often perceived as a “gay butler” in some countries). “Jeeves will disappear, and we will probably be called Ask or Ask.com,” Diller told conference attendees. “Not that I don’t like that butler. He’s actually a thinner butler now.”

180 answers back

In response to my earlier post, Sean Sundwall of 180 Solutions has this to say:

We agree, ActiveX is somewhat problematic and for that reason, it is not our preferred method of installation. However, it is a method that some of our web publishing partners request so we continue to provide this as one of several options. As you stated, many well known software makers use ActiveX to install software. But given the limitations Microsoft has imposed on the ActiveX install experience, it’s probably fair to say that ActiveX by itself cannot truly provide the user with enough information to make an informed decision, no matter who the software maker is. This is why we provide additional notification such as the dialog boxes you posted in your update, to ensure there is no confusion and no question as to what is being installed, what the tradeoff is for users and how they can uninstall. We expect that over time, fewer and fewer publishers will use the ActiveX method, but in the meantime, we offer ActiveX as an option building in the extra measures to ensure complete disclosure.

We also recognize that many consumers don’t read EULAs (Google has done away with one altogether for their Desktop Search tool). We believe, though, that EULAs are necessary and have made every effort to offer one of the shortest and easiest to understand in the software industry. And rather than simply provide a link to our EULA, we add it to the installation dialog boxes for all to see. But knowing EULAs are often skimmed or skipped altogether, we provide a plain-language description that really cannot be misunderstood. And just in case the user doesn’t read that or was somehow confused, we provide a short, clear reminder to the user upon completion of the installation that they have installed our products and we provide a link to our customer support services. We feel like this represents a fair, honest and transparent installation experience.

 

Alex Eckelberry

The Spam Queen speaks out

Laura Betterly was once dubbed the “Spam Queen” by the Wall Street Journal.  The title wasn’t entirely accurate as she was really just one of many run-of-the-mill bulk mailers, and never did offers for porn, enlarging body parts, viagra, etc.  In other words, she was nothing like the true hall-of-famers like Scott Richter and Sanford Wallace.  But the title stuck and she got some noteworthy press for it.

But she doesn’t spam anymore. 

Why?  She writes about current marketing practices and spam in an article here.

It’s actually an interesting read.  Take this, for example under the heading “The future of bulk email and why it is likely to remain dead”:

“In other words, Spam is a four-letter word.

Legitimate marketers are staying away in droves and it’s easy to see why. First of all let’s look at some facts. In the United States, it is legal to send unsolicited commercial e-mail. The CAN SPAM act allows for this. You have to provide a way to opt-out and not hide who you are, and a few more simple but ethical rules.

Although it is legal, there isn’t an internet service provider in the United States who will allow you to send unsolicited commercial e-mail.

Larger mailers have opt-in information from lists they purchase which imply consent but those lists aren’t originated from the mailer, but from other sub-mailers—you get a free thing or access to a particular site and the user checks a box that it is okay to get information from their “affiliates and partners.”

The “affiliates and partners” they are referring to are those who pay for the e-mail addresses and opt-in information.

These guys are sending you mail legally, but the fact is, they are not getting into your e-mail box for the most part. Blocking, filtering, and doing it the “legal” way bulk wise, is just not working.

Not to mention, there is no way to prove that the recipients opted in or are willing to get the message since they opted in at someone else’s site, not yours.

The response rate is pathetic and when that mail does get through, you have many disgruntled individuals who never remember opting in, so in their view, the mail is unsolicited. The only way to get e-mail into inboxes en masse is by not following the rules, so the only messages getting through are the scams, including the pornographic, illegal, and objectionable.

It is ironic that the very thing people want to rail against, they are getting more of in the aftermath of Can-Spam.”

 

Alex Eckelberry

What’s wrong with this picture?

This recent video shows 180 Solutions is now installing Zango Search Assistant (the replacement for 180 Search Assistant) via ActiveX installs at third-party web sites.

Why is this notable?

1. The user goes to the site and gets a confusing Active/X control thrown into their face.


Click to enlarge

Even under Windows XP Sp2, it is intrusive and confusing. One gets one of these redirect/layover screens that directs the user to install an ActiveX control — a screen not necessarily from Zango but nevertheless confusing.


Click to enlarge

2. The ActiveX box describes this program only as “Website Access” from “Zango.” No mention or description of functionality such as pop-up advertising, installation of a toolbar, error page hijacking, etc.

3. The EULA itself likewise makes no mention of key functionality, disclosing only advertising in some vague way (redirects to partner websites) but not pop-up advertising — no mention of a toolbar at all. Click here.

4. Three separate programs are installed (with three different entries in Add/Remove Programs). There is a fourth, MediaGateway, a Zango app which is intalled if you agree to it (a different ActiveX popup).

Zangoaddremovesmall

5. On one test system, a device driver capable of accessing the drive directly (ide210201.vxd) is dropped in System32. Just what this driver is being used for is unknown. See google. According to this post, “this is a legitimate file and it is used in Windows Me/98/95 computers in order to get data on the hard disk installed”.

Alex Eckelberry
(Thanks to Eric Howes for his invaluable contribution)

8:44 PM Update: 180 Solutions is fiercely defending this install, and we expect something to post later tonight or tomorrow morning.

In the meantime, here is some more information and clarifications.

The VXD file mentioned above (ide210201.vxd) comes from MediaGateway, a Zango application. I did not get this file on a re-test this evening with Windows SP XP2.

So here is how the install occurs on a Windows XP Sp2 system:

After getting the “You Must Click Yes” dialog, and you agree to install the ActiveX control, you get the standard ActiveX install warning:

After agreeing to Zango, to their credit, you then get these screens:

Note that this screen is pre-selected, has a big EULA stuffed into a tiny box, etc. But it is a step better than what we’ve seen in the past…

So, notice is given that Zango is being installed, and one can uninstall the programs through Add/Remove.

Here’s the key problem, though: The use of ActiveX installs is problematic, since one cannot provide adequate notice and disclosure in the initial screen — and it’s a method of install that has been heavily abused in the spyware space.

ActiveX controls are used by many reputable publishers, such as Microsoft and Trend Micro. However, in these cases, the user is quite aware of what is going on. Simply getting an ActiveX control popping up in your face (the case if you’re not running SP2) simply confuses and baffles users.

However, to 180’s credit, they do provide an install screen after the ActiveX install which clarifies what is going on.

A final note: Contrary to intimations in the installer and uninstaller, access to this website does not need Zango.

ATM Hacking

Ted Richardson writes about hacking an ATM machine, with pics…

Here are his pics of an ATM Machine after being compromised.

They attach a device over the card slot on the legitimate ATM, which reads the magnetic information. Using the latest wireless technology, it is normally transmitted to fraudsters in a nearby vehicle.

Your ATM is protected by a PIN, but these criminals have a solution for this too. They install a hidden camera, again using the latest technology (wireless) and the PIN is digitally recorded.

Here is a picture of the compromised ATM with the camera installed.

Alex Eckelberry

Mozilla fights back against security claims

As blogged earlier, vulnerabilities in Firefox are now running at a faster clip than those for Internet Explorer.

ZDNET article here: “Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla’s “ability to react, find a solution and put it into the user’s hands is better than Microsoft.”

Alex Eckelberry
(Tip of the hat to Donna)