Archive for November, 2005

« Older Entries

McAfee VirusScan bloat?

Wednesday, November 30th, 2005

Many people have decent Windows machines, say 1-2 years old, that are running quite slow. After cleaning off any spyware/adware, removing old and/or unused programs, and disabling unnecessary services/applications from starting up automatically, the machines still run sluggish. Now, we are not talking about machines that need massive hardware upgrades or are being used for hardcore applications – often, just some additional RAM would be nice, but is not absolutely necessary.

So, what is the common thread? McAfee VirusScan. VirusScan seems this comes preinstalled on many machines, and most people just pay for it after the trial period. That makes sense, as it worked for a few months and looking for alternative anti-virus products is a chore. However, it appears that McAfee VirusScan grows more and more bloated over the course of the year or two of its life cycle on the machine, and the machine just cannot keep up. Even turning off much of VirusScan’s usefulness helps little at this point, it must be totally disabled to remedy the situation. (Reminds me of Java! Ha! ;) )

The usual fix, remove McAfee VirusScan and install CA EZ Antivirus. Despite not being the top ranked, it works for us and is quite fast. Plus, there is a free 1 year trial for Microsoft users.

(If McAfee has any ideas, please let us know.)

Posted in D-Kriptik, Malware | No Comments »

Phishing – don’t bite

Monday, November 28th, 2005

We received a phishing email a few days back, and I figured it might be good to go through the general process I went through to identify the email as a scam and research it a bit.

So, I received an email message to the D-kriptik support account purporting to be from Paypal. I was using Thunderbird as my mail client, and it was configured to display email messages as plaintext. As such, the email message was displayed as blank, but the From: field was “service@email.paypal.com” <update@paypal.com> and the Reply-To: field was “account@paypal.com” <service@email.paypal.com>.

Phishing message displayed as plaintext in Thunderbird

Now, I already knew this message was a scam. We have email addresses dedicated to various purposes, including specific addresses used as email contacts for specific accounts, such as Paypal accounts. The D-kriptik support address listed on our main web site has never been associated with any Paypal accounts, so this message was obviously a fraud. Not to mention, the message displayed as blank and the Paypal email addresses just looked off. So, I could have just deleted the message at this point, but I was curious.

(Important note: The use of “xxx” is an edit made by me to slightly mask IP addresses, and it is used throughout this post and referenced files.)

So, I pulled up the raw message using View->Message Source (CTRL-U) in Thunderbird, and the header contained the following. (I have posted the raw message here.)

Return-path: <service@email.paypal.com>
Envelope-to: support@d-kriptik.com
Delivery-date: Mon, 21 Nov 2005 11:07:14 -0500
Received: from [213.146.116.xxx] (helo=213.146.116.xxx)
by cwpro1.crosswinds.net with smtp (Exim 4.52 (FreeBSD))
id 1EeEBr-0009SZ-0T
for support@d-kriptik.com; Mon, 21 Nov 2005 11:07:14 -0500
Received: from 189.144.176.xxx by ; Mon, 21 Nov 2005 10:01:28 -0600
Message-ID: <UKFDKVGIILJMJPLEEIZLIG@verizon.net>
From: “service@email.paypal.com” >update@paypal.com<
Reply-To: “account@paypal.com” >service@email.paypal.com<
To: support@d-kriptik.com
Subject: Security Notification
Date: Mon, 21 Nov 2005 13:03:28 -0300
X-Mailer: Microsoft Outlook Express 5.00.2615.200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”–14555300788773238150″
X-Priority: 1
X-MSMail-Priority: High

(The use of “213.146.116.xxx” is an example of the “important note” above.)

MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”–14555300788773238150″
X-Priority: 1
X-MSMail-Priority: High

—-14555300788773238150
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

Well, now we can see why the message was displayed as blank. The message was composed solely of a single MIME encoded HTML content. Since my mail client was not configured to display such content, it displayed a blank message. This is also strange as most companies take the time to at least contain a token plaintext message in the email bodies just for the purpose of covering customers that only display email as plaintext.

Message-ID: <UKFDKVGIILJMJPLEEIZLIG@verizon.net>

Strange, I’d expect this to contain something along the lines of “paypal.com”, not “verizon.net”.

X-Mailer: Microsoft Outlook Express 5.00.2615.200

Strange, it does not fit that Paypal would be using Outlook Express for any customer interaction purposes, especially automated security notifications.

Received: from [213.146.116.xxx] (helo=213.146.116.xxx)
by cwpro1.crosswinds.net with smtp (Exim 4.52 (FreeBSD))
id 1EeEBr-0009SZ-0T
for support@d-kriptik.com; Mon, 21 Nov 2005 11:07:14 -0500
Received: from 189.144.176.xxx by ; Mon, 21 Nov 2005 10:01:28 -0600

Strange, this message was received by cwpro1.crosswinds.net (Crosswinds is our hosting provider) from 213.146.116.xxx instead of a mail server associated with and/or identifying itself as paypal.com. (The second (i.e., prior) Receive field I can basically ignore here as that was likely fully under the control of the malicious sender.)

$ nslookup 213.146.116.xxx
Server: 192.168.xxx.1
Address: 192.168.xxx.1#53

Non-authoritative answer:
xxx.116.146.213.in-addr.arpa name = reverse-213-146-116-xxx.cust.kamp-dsl.de.

Authoritative answers can be found from:
116.146.213.in-addr.arpa nameserver = ns.kamp.net.
116.146.213.in-addr.arpa nameserver = ns2.kamp.net.
ns.kamp.net internet address = 195.62.97.2
ns2.kamp.net internet address = 195.62.97.18

Hmm, this message looks to have originated from a DSL subscriber in DenmarkGermany. That is weird.

$ whois 213.146.116.xxx

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 213.0.0.0 – 213.255.255.255
CIDR: 213.0.0.0/8
NetName: RIPE-213
NetHandle: NET-213-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate:
Updated: 2005-07-27

# ARIN WHOIS database, last updated 2005-11-22 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the “-B” flag

% Information related to ‘213.146.112.0 – 213.146.127.255′

inetnum: 213.146.112.0 – 213.146.127.255
netname: KAMP-DSL-NET
descr: KAMP Netzwerkdienste GmbH
descr: DSL-Pool fixed IPs
country: DE
admin-c: KAMP-RIPE
tech-c: KAMP-RIPE
status: ASSIGNED PA
remarks: INFRA-AW
remarks: ***************************************
remarks: * please report spam/abuse/scans/etc. *
remarks: * to: abuse@kamp.de *
remarks: ***************************************
mnt-by: KAMP-P-MNT
source: RIPE # Filtered

role: KAMP NOC
address: KAMP Netzwerkdienste GmbH
address: Vestische Str. 89-91
address: 46117 Oberhausen
address: DE
phone: +49 1805 24289905
fax-no: +49 1805 24289999
e-mail: noc@kamp.de
admin-c: HL47-RIPE
tech-c: RI7-RIPE
tech-c: TS1792-RIPE
tech-c: ME1587-RIPE
nic-hdl: KAMP-RIPE
mnt-by: KAMP-MNT
source: RIPE # Filtered

% Information related to ‘213.146.96.0/19AS8648′

route: 213.146.96.0/19
descr: KAMP Netzwerkdienste
origin: AS8648
mnt-by: KAMP-P-MNT
source: RIPE # Filtered

I note the following and record abuse@kamp.de for notification of this phishing message.

remarks: ***************************************
remarks: * please report spam/abuse/scans/etc. *
remarks: * to: abuse@kamp.de *
remarks: ***************************************

Ok, I fire up Firefox and and visit www.kamp.de.

Snippet from Kamp web site rendered in Firefox.

It looks like KAMP is an ISP in DenmarkGermany.

At this point, if I did not know already, I have found enough information to label this message as a fraud. Paypal is not going to be sending messages from DSL subscriber accounts in DenmarkGermany.

Looking at the HTML source of the message, I see that it links in many images from the paypal.com web site. But, embedded in here, I also see the following.

<A href=3D”http://210.98.146.xxx/.confirm/index.php?MfcISAPICommand=3D=
SignInFPP”

>

So, I am being asked to connect to a web site identified only by a numeric IP address over a plaintext (i.e. clear – HTTP) connection. If this was a legitimate message from paypal.com, I would expect the sign in to be located at paypal.com and use https.

$ nslookup 210.98.146.xxx
Server: 192.168.xxx.1
Address: 192.168.xxx.1#53

** server can’t find xxx.146.98.210.in-addr.arpa: NXDOMAIN

$

Hmm.

$ whois 210.98.146.xxx

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 210.0.0.0 – 211.255.255.255
CIDR: 210.0.0.0/7
NetName: APNIC-CIDR-BLK2
NetHandle: NET-210-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS-SEC.RIPE.NET
NameServer: TINNIE.ARIN.NET
NameServer: DNS1.TELSTRA.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate: 1996-07-01
Updated: 2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net

# ARIN WHOIS database, last updated 2005-11-22 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 210.98.128.0 – 210.98.191.255
netname: BORANET-NET-210-98-128
descr: DACOM Corp.
descr: Facility-based Telecommunication Service Provider
descr: providing Internet leased-ine, on-line service, BLL etc.
country: KR
admin-c: DB50-AP
tech-c: DB50-AP
mnt-by: APNIC-HM
mnt-lower: MNT-KRNIC-AP
changed: hm-changed@apnic.net 20021025
status: ALLOCATED PORTABLE
source: APNIC

role: DACOM BORANET
address: DACOM Bldg., 706-1, Yoeksam-dong, Kangnam-ku, Seoul
country: KR
phone: +82-2-2089-7755
fax-no: +82-2-2089-0706
e-mail: ipadm@nic.bora.net
e-mail: abuse@bora.net
e-mail: security@bora.net
admin-c: EC115-AP
tech-c: SIJ1-AP
nic-hdl: DB50-AP
mnt-by: MNT-KRNIC-AP
remarks: IP address administrator group of NIC team, DACOM Corp.
remarks: If related with spam, send mail to abuse@bora.net
remarks: If related with security, send mail to security@bora.net
remarks: Only for whois information correction, send mail to ipadm@nic.bora.net
changed: jeonsi@bora.net 20041105
source: APNIC

I note the following and record abuse@bora.net for notification of this phishing message.

remarks: IP address administrator group of NIC team, DACOM Corp.
remarks: If related with spam, send mail to abuse@bora.net
remarks: If related with security, send mail to security@bora.net

Ok, I fire up Firefox and and visit www.bora.net, and then I follow the link to the English version of the site.

Snippet from Bora.net web site rendered in Firefox.

It looks like bora.net is an ISP in the Asia-Pacific region, so I am being ask to sign in to my Paypal account through a rogue web site hosted in the Asian-Pacific region. Yeah, sure, that makes sense.

Looking at the message source, the HTML looks clean enough. So, lets see how this message renders in Thunderbird when I turn on displaying HTML messages.

Phishing message displayed as HTML in Thunderbird

(Heh. When displayed in HTML format, Thunderbird labels the message as “Thunderbird thinks this message might be an email scam.” Nicely done.)

Begin Skip Doing This Content—>

Everything up until this point was just investigation to determine the message was a scam and figure out the proper abuse contacts. But now, lets check out 210.98.146.xxx. I recommend that everyone NOT do this, as we are attempting to connect to a potentially malicious entity.

$ ping 210.98.146.xxx
PING 210.98.146.xxx (210.98.146.xxx): 56 data bytes
^C
— 210.98.146.xxx ping statistics —
17 packets transmitted, 0 packets received, 100% packet loss
$ telnet 210.98.146.xxx 80
Trying 210.98.146.xxx
^C$

The web site linked to in the phishing message looks to be down. Ok, what about 213.146.116.xxx, the IP address from which we received this message? Once again, I recommend that everyone NOT do this, as we are attempting to connect to a potentially malicious entity.

$ ping 213.146.116.xxx
PING 213.146.116.xxx (213.146.116.xxx): 56 data bytes
64 bytes from 213.146.116.xxx: icmp_seq=0 ttl=113 time=191.754 ms
64 bytes from 213.146.116.xxx: icmp_seq=1 ttl=113 time=190.349 ms
^C
— 213.146.116.xxx ping statistics —
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 190.349/191.051/191.754/0.703 ms
$ telnet 213.146.116.xxx 25
Trying 213.146.116.xxx
^C
$ telnet 213.146.116.xxx 80
Trying 213.146.116.xxx
Connected to reverse-213-146-116-xxx.cust.kamp-dsl.de.
Escape character is ‘^]’.
GET / HTTP/1.1
Host: 213.146.116.xxx
Connection: close
User-Agent: Manual

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Wed, 23 Nov 2005 06:30:23 GMT
Connection: close
Content-Length: 1283
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCQRCQBQC=OJDBMBFBKMOMFBFIEBABEGMP; path=/
Cache-control: private

<!–
WARNING!
Please do not alter this file. It may be replaced if you upgrade your web server
If you want to use it as a template, we recommend renaming it, and modifying the new file.
Thanks.
–>

[HTML removed - it can be found here]

Connection closed by foreign host.
$

The HTML looks clean and generic, so lets render it in Firefox.

Generic under construction web page of potential sender machine rendered in Firefox

(Since I am rendering this on a local copy of the HTML, I do not have the image referenced in the HTML – thus, the broken image indicator.)

This may or may not be the machine that sent the message to the crosswinds mail server. For example, the IPs may be dynamically allocated by this ISP to its DSL subscribers, and the IP may now be assigned to a different subscriber. Of course, I could now switch to covert exploration and probe this system in more detail, but that is not my role here and I walk away.

<— End Skip Doing This Content

So, what tools have we used here? I used no special toolkits or really security tools of any kind here.

  • Thunderbird, which allowed display of email messages in plaintext only and viewing of the raw message source. It also was able to identify the message as a scam and could render the HTML content of the messages.
  • Firefox, which rendered the HTML pages for me.
  • nslookup, which allowed me to perform a DNS reverse lookup on the IP addresses I noticed. (Note this.)
  • whois, which allows me to query information on the owners of the IP address blocks I noticed and find abuse contacts.
  • telnet, which allowed me to connect to remote machines and interact with services on them manually.

The Firefox and Thunderbird applications in the screenshots were running on a Windows XP system. nslookup, whois, and telnet were running on a FreeBSD 6 system. Both nslookup and telnet are also available as part of a standard Windows XP installation, and there are many resources for performing whois lookups through the web. (Also, Cygwin brings a whole suite of GNU/Linux and Unix tools to Windows. Another tool for Windows is SamSpade, which I believe is designed for researching rogue email messages.)

And, what techniques did we employ?

  • Wariness – Email should not be trusted by default. Examine email messages closely, especially if they request sensitive information, contain attachments, or provide links, and be sure to establish trust before performing any actions requested by the messages. This is just how I think, and it helps in avoiding scams.
  • Research – When in doubt, do some research. (An easy way to do this for messages claiming to be from a company or person you deal with is just call the company or person.) By looking at the raw message, I could see weird characteristics in the headers and the message body that indicated this was a fraud. I then used information taken from the headers and message body to identify proper abuse contacts at the relevant ISPs.

    • And the easiest one…

  • Multiple email accounts with dedicated purposes – By having specialized email accounts that are used only for certain purposes, many scam messages can be quickly identified just by being out of place. (You can also track the dissemination of your email addresses quite well by doing this.) That is how I knew this message was a scam before I even read it its contents.

Anyway, now all that is left to do is notify abuse@bora.net and abuse@kamp.de about this message. We forwarded the original message with its full headers intact. (In Thunderbird, this can be easily accomplished by forwarding the message as an attachment (Message->Forward As->Attachment). We chose to copy and paste the message’s source inline rather than treat it as an attachment.)

From – Wed Nov 23 17:21:20 2005
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00800000
Message-ID: <4384EB3B.6060709@d-kriptik.com>
Date: Wed, 23 Nov 2005 17:20:43 -0500
From: “D-kriptik Support (Andrew Donofrio)” <support@d-kriptik.com>
User-Agent: Thunderbird 1.5
MIME-Version: 1.0
To: abuse@bora.net, abuse@kamp.de
Subject: Malicious email – [Fwd: Security Notification]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

To Whom It May Concern,

We received a malicious email message (phishing) that was sent via a
user of Kamp and pointed to a web site hosted by a user of bora.net.

We can see from the headers that the message was sent from
213.146.116.xxx, which belongs to KAMP.

> Received: from [213.146.116.xxx] (helo=213.146.116.xxx)
> by cwpro1.crosswinds.net with smtp (Exim 4.52 (FreeBSD))
> id 1EeEBr-0009SZ-0T
> for support@d-kriptik.com; Mon, 21 Nov 2005 11:07:14 -0500

We can see from the message body that the malicious web site is hosted
by 210.98.146.xxx, which belongs to Bora.

> <TD class=3Dpp_sansserif align=3Dmiddle><A
> href=3D”http://210.98.146.xxx/.confirm/index.php?MfcISAPICommand=3D
> SignInF=
> PP”
>
>
>
> >Click here to verify your
> account</A></TD>

The complete message along with all of its headers is included below.
Thanks for your time.

-Andrew

—- Forwarded message —-
[Snip original message]

Posted in Authentication & Identity, D-Kriptik, Security | 6 Comments »

Happy Thanksgiving!

Thursday, November 24th, 2005

I am thankful for my family and friends, and greatly appreciate their support through these early days of the business. I am thankful for all the people that have tolerated my focus, my drive, and my general lack of social time. I am thankful for all the wonderful persons that I have met over the course of this year, including the missed connections. I am thankful for what I have now and what I hope to achieve later. Most of all though, I am simply thankful to be. So…

Happy Thanksgiving!

(It is 2PM EST, and the turkey is ready!)

Posted in Off-topic | No Comments »

Common questions

Wednesday, November 23rd, 2005

Will D-kriptik assist our company with FIPS 140-2 validation of our product? Unfortunately, we do not provide FIPS 140 validation or Common Criteria (CC) certification consulting services to product vendors looking to achieve validation/certification, as this is not in line with the focus of D-kriptik. If you are a product vendor looking for validation/certification consulting services, this company has been doing exactly that for many years now (I can provide specific contacts, if desired). (I spent some time in this field, which is why this question is common for companies that locate D-kriptik by searching on my name. This interest is greatly appreciated, but we do not provide such services.)

Where does D-kriptik run across FIPS 140 validations and CC certifications in its work? Well, we help companies build and maintain their Information Technology (IT) infrastructures. Some of our clients may want or be required to use validated or certified security products in their IT infrastructure, and we are knowledgeable in the various products out there that can used to achieve this end. In other words, we assist in the selection, configuration, deployment, and maintenance of validated/certified products in an IT infrastructure, which can be a tricky process as these products often have operational restrictions as part of their validations/certifications.

Update:

Would D-kriptik be willing to use such and such FIPS 140 validated and/or CC certified product when building an infrastructure for its clients? This question is on a broader scale than just validated/certified products – we use those products that best fit a particular project. It may be useful to note that, besides looking at the cost-benefit of a product based on our customer’s requirements, needs, and wants, establishing positive relationships with, and knowing technical contacts (more than just marketing, sales, and generic tech support contacts) at, product vendors can play an important role in influencing our recommendations, as these facilitate our ability to better server our customers. Also, while we try to keep up with products that have been validated and certified, product vendors should feel free to let us know about their new certifications and validations.

Posted in D-Kriptik | 2 Comments »

Notes on “Porn in the Age of Instant Access”

Tuesday, November 22nd, 2005

I attended the debate on “Porn in the Age of Instant Access: What are the social effects of fast, cheap & stigma-free viewing?” yesterday, as mentioned in a previous post. The speakers were Nick Gillespie (Editor, Reason Magazine), Rachel Kramer Bussel (Columnist Village Voice & Penthouse), Pamela Paul (author Pornified & The Starter Marriage), and Robert W. Peters (President, Morality In The Media), and the moderator was Brooke Gladstone (NPR’s On The Media). (I imagine video and audio of the event will turn up on this page, but, at the time of this writing, the site had not yet been updated to include it. As I understand it, only an hour of the debate was recorded, although the debate was an hour and a half.)

As far as the panel members stances in binary, they broke down as follows.

  • Pamela Paul – anti porn.
  • Nick Gillespie – pro porn.
  • Robert W. Peters – anti porn.
  • Rachel Kramer Bussel – pro porn.

And, my opinion of how well the panelists handled the debate. (Note: Regardless of my opinions on the panelists’ effectiveness in this debate, it takes a lot of courage to get up and debate your views in public and with cameras. Bravo to all of them.)

  • Pamela Paul – Pamela started out strong, but she weakened as the discussions proceeded.
  • Nick Gillespie – Nick was the most effective debater.
  • Robert W. Peters – Robert was a last minute panelist and it showed.
  • Rachel Kramer Bussel – Rachel started out strong and stayed strong.

(Best quote of a quote – ” “the beating of his hideous heart” ” – Nick Gillespie)

As you can imagine, the debate was quite lively, as the panel was composed of people with very different viewpoints. However, there was virtually no technical discussion, so I have little in the way of notes that are relevant to this blog. The following is those relevant notes.

The general starting point of the debate was that pornography has become ubiquitous due to distribution via mediums such as the Internet, and it is difficult not to stumble across pornography when online.

Rachel Kramer Bussel feels that pornography has helped to fuel the adoption of many technologies. The Internet is an example of this. She also feels that the ubiquitous access makes pornography less elitist towards women from the access perspective (I note this point because it is often seen as one of the biggest benefits of this information age – unencumbered access to information – and technology provides a powerful medium for distributing information – the Internet).

There was a question about using technology to censor the pornography available on the Internet. The panel agreed that there is no technology that can effectively censor pornography. On a related note, the v-chip was pointed out for televisions at some point during the discussions.

And that was about it for technology during this discussion. Thanks to the panelists for an enjoyable debate.

(On the out and about… I cannot recommend Monday nights at Cielo strongly enough. The music is utterly amazing, and the crowd loves it.)

(Happy birthday to a friend!)

Update:

Goodness, I am on a phone call almost immediately after writing this post, and the same questions (bottom of this post) about why this write-up had such a limited focus when the whole discussion centered around the implications of technology. Again, while this is true to some degree, that degree is not enough to make it relevant to this blog. For example, statistics on pornography usage and positive/negative behaviors/trends that may be a result, and moral arguments for and against pornography, are a bit outside of the focus here. An hour of the debate should be put online here at some point.

Given our focus, do our readers feel we should stop doing write-ups on these type of events in the future?

Posted in Conferences | 1 Comment »

Notes on “The Secret World of Global Eavesdropping”

Friday, November 18th, 2005

I attended the panel discussion on “The Secret World of Global Eavesdropping” yesterday, as mentioned in a previous post. It was composed of Patrick Radden Keefe, moderator, and John Young, primary speaker. (Robert Windrem did not attend.)

My notes on the event follow the question/response format used during the discussion, and this post contains the subset of my notes that deals with technology and its usage in some form. The webcast for this event can be found here.

(My favorite quote from the discussion: “Mathematicians are an unruly group and hard to contain.” – John Young)

For those that don’t know, Cryptome.org publishes information on national security, intelligence, cryptography, etc. with a technical focus.

    Is the human spy outdated? John Young says yes. Electromagnetic spectrum-based surveillance (supposedly at least 16 types used by National Security Agency (NSA) at least) and computer analysis (algorithms) are what is important to intelligence agencies. John thinks the complaints by NSA, etc. about keeping up with technologies such as the Internet are false -> these allow detailed analysis (supposedly about 20 types of whole scale data analysis), such as traffic analysis and data mining. Algorithms are what matter now – search, patterns of use, quantity, etc. Also, later discussed, John thinks that the importance of communications intelligence is another myth like the importance of human agents, as data intelligence is much more powerful than simply listening in to a conversation.

(John Young slip – use of “cult” for “culture” in “culture of secrecy.”)

    Is data mining better against USA citizens than 3rd world terrorists due to our technology usage and paper trail? John Young says there are a variety of ways for gathering data – many different algorithms – and these can be effective for tracking terrorists. (An audience question follows up on this.)

Up until this point, Patrick had been asking the questions. Next, the audience chimed in. (In order to ask questions, you had to be videotaped. Great.)

    How can the technological surveillance actually work in Afghanistan mountains? John Young points out that terrorists hiding in the mountains still have to communicate to be effective, and they can be tracked by their infrastructure needs/usage (e.g., getting food).

    Is PGP useful? John Young says he does not know how good PGP really is, but he uses it. (The OpenPGP specification can be found here, and GnuPG is an implementation of OpenPGP that I often use.)

    What about Echelon? Patrick discusses Echelon. It is a global spying network (originally established by the “UK-USA agreement” in the 1940’s). An EU commission, investigating whether Echelon was used by the USA government to give USA companies a competitive advantage, essentially confirmed the existence of Echelon (but was not able to find any conclusive evidence in regards to the point of its investigation). Later (after Patrick’s book on the topic), the NSA confirmed the existence of Echelon to some degree.

    John Young went on to discuss what inspired him to start Cryptome. Lo and behold, it was the cypherpunks. He began following the cypherpunks in 1994 and started Cryptome soon after. He praised the talented technical work of the cypherpunks, but he did throw in a jab at their political beliefs. (I discovered the cypherpunks when I started college in 1995. The cypherpunks played a pivotal role in the “crypto wars” of the 1990’s and are often credited with bringing crypto to the masses in the USA.)

    How does John Young protect his privacy? He uses PGP. He is skeptical of the Internet and worries about his site being used as a form of honey pot to lure people in for monitoring by the government. He says become knowledgeable. He says be open. (There are lots of tools oriented towards privacy out there – for example, TOR, privoxy, mixmaster remailers, and mixminion remailers.)

Overall, the panel discussion gave an overview of John Young’s thoughts on the topic at hand and some cursory information on things like Echelon. It was not the debate that I was envisioning, but I am glad I attended. Thanks to John Young and Patrick Radden Keefe for participating.

(As far as the out and about goes… We ended up at Hiro Ballroom. Turns out, The Sounds were playing, and it was good.)

Update:

I was asked why this write-up only focused on the technological content of the panel discussion. That was because this blog is technology focused, and most of the discussion was not relevant here. This was countered with the fact that the whole discussion was the result of technology. That is true to some degree, but that degree was not enough to make the content fit here. Of course, the full panel discussion is available online for those that are interested, and there is also the web site of the panelist, John Young – Cryptome.org.

Posted in Conferences | 2 Comments »

Panel discussions on global eavesdropping and pornography

Wednesday, November 16th, 2005

There are two panel discussions upcoming in New York City (Manhattan) that involve technology and its uses/impacts in one form or another, and these talks have the potential for provocative subject matter. I plan on attending both.

  1. This discussion occurs on Thursday.

    The World Policy Institute at The New School
    presents

    THE SECRET WORLD OF GLOBAL EAVESDROPPING

    a panel discussion with

    ROBERT WINDREM, Producer, NBC News

    and

    JOHN YOUNG, Editor, Cryptome.org

    Moderated by

    PATRICK RADDEN KEEFE, Project Leader, The World Policy Institute

    The human spy is a thing of the past: today, the United States devotes far more resources to high-tech electronic intelligence gathering than to more traditional forms of espionage. A hundred military and intelligence satellites circle the earth and secret American “listening stations” are scattered around the planet, intercepting billions of phone conversations and emails every day. How effective is this kind of spying by remote control? Can intelligence agencies successfully sort through the volumes of communications they intercept to locate and identify the proverbial ticking bomb? How does eavesdropping compare to on the ground intelligence operations? And from the point of view of individual privacy and civil liberties, should American citizens trust the government to operate such a colossal surveillance apparatus without effective congressional oversight or public scrutiny? Join two experts on “communications intelligence” for an eye-opening discussion of these important issues.

    Thursday, November 17, 2005, 6:00-7:30 p.m. Swayduck Auditorium, first
    floor, 65 Fifth Avenue (between East 13-14th sts.). Admission is $5.00. Visit www.dialnsa.edu for a live webcast and online discussion.

    (The Illuminatus! Trilogy by Robert Shea and Robert Anton Wilson just popped into my head. To the friend that turned me on to this series, I hope you are doing better.)

  2. This debate occurs next Monday.

    Porn in the Age of Instant Access: What are the social effects of fast, cheap & stigma-free viewing?

    Featuring Nick Gillespie, Editor, Reason Magazine; Rachel Kramer Bussel, Columnist, Village Voice & Penthouse; Pamela Paul, author, Pornified & The Starter Marriage; and Ben Shapiro, author, Porn Generation

    Moderator: Brooke Gladstone, NPR’s On The Media

    The Internet and digital cable have allowed the purchasing and viewing of pornography to become easier than ever. While porn consumers can now easily keep their interests private, the porn producers has become more public and corporate. The U.S. porn industry now generates $12 billion annually: more than the combined revenues of the major television networks. What are the culture effects of this mainstreaming? Can and should there be a political response to these trends?

    Monday, November 21st 2005
    6:30 P.M. Prompt
    (Free and open to the public – Reception to follow)

    The Graduate Center
    The City University of New York
    365 Fifth Avenue, New York
    (Corner of 34th Street & 5th Avenue)

    (This post just came to mind.)

See you there.

Posted in Conferences | 1 Comment »

Word metadata

Tuesday, November 15th, 2005

I just noted Bruce Schneier’s post on Microsoft Office metadata. Nothing new here, but it did bring back memories of chatting with someone at the EFF Pioneer Awards 2003 (during CFP 2003) who was planning to publish a paper on scraping the web for Word documents in order to extract their metadata and hidden data. It has been a while since I distributed Word documents, but my general process on Microsoft Word XP for cleaning out the sneaky tidbits before publishing a Word document (or converting to PDF and publishing) was along the lines of:

  1. Open the Word document
  2. Toggle off tracked changes if toggled on (CTRL-SHIFT-E, or Tools->Changes Tracked)
  3. Copy the document’s contents to the clipboard (CTRL-A then CTRL-C, or Edit->Select All then Edit->Copy)
  4. Create a new Word document (CTRL-N, or File->New)
  5. Paste the clipboard contents into the new document (CTRL-V, or Edit->Paste)
  6. View the properties of the Word document (File->Properties), and copy/paste those fields desired to the new document
  7. View Word’s privacy settings (Tools->Options->Security tab) and check “Remove personal information from files properties on save” (as needed) and “Warn before printing, saving, or sending a file that contains tracked changes” (the latter should always be checked, as should “Hidden text” on the Tools->Options->View tab), and uncheck “Store random number to improve merge accuracy”
  8. Save the new document
  9. Run the “Remove Hidden Data” macro (File->Remove Hidden Data) on the new document – this can identify things like Table of Contents as potential issues, so make sure to remove only what you want removed

via Schneier on Security

Update: NSA report – Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF. Redaction techniques aside, from a quick glance at the cleaning of metadata outlined in that document, the steps looks quite familiar.

via SecuriTeam Blogs

Posted in Security | No Comments »

H&M Stella McCartney Chaos

Saturday, November 12th, 2005

I have been hearing some first hand accounts of the H&M Stella McCartney launch in New York City (NYC), and the Fashiontribes.com blog has a post by blogette Rachel that does a good job of capturing what it was like at an NYC H&M during this launch.

Like many a fashionista, I was overly excited to be at Soho’s own H&M Thursday November 10th for the launch of the Stella McCartney for H&M.

The launch degenerated into chaos. (I was nowhere near an H&M, but I felt it… I got blown off by someone for this launch.)

In the mayhem, as I reached for the trench coat I so desired (yes, I ranked the pieces I wanted-more on that later) another girl shoved me from behind, lurching for the same trench-the last small available. As she tried to jar the hanger from me, the rack above came crashing down, hitting my head. Needless to say, I let her have the coat.

Thank goodness mannequins are not people.

In the store down the block, the mannequins were ripped apart and dismantled for their clothes. At 51st street, women ran to the merchants like rabid dogs, hunting their prey.

The post goes on to assess the handling of the launch and gives some advice on trying to secure these types of events in the future for both the stores and the customers, such as

(the stores)

Instead of allowing the line to file in (My suggestion, you ask? Allow 10 people in at a time, and allow each person only one of each item), the H&M employees allowed the line-and anyone who happened past the door at that moment-to huddle in.

(the customers)

Next time, I am just going to pay double and shop from home on eBay. I would rather get only a couple pieces-the ones i absolutely adore-than get a massive pile of clothing and a head wound.

Essentially, Rachel is saying learn from these events and use that experience to plan better next time, and she gives examples of this. That message is worth reinforcing, and the hard part is learning the right lessons and applying that knowledge effectively in a world full of tradeoffs (e.g., in response to the 911 terrorist attacks, think of the confiscation of nail clippers from plane passengers versus locking strengthened cockpit doors on the plane during the trip). Bruce Schneier has devoted whole books to this topic as applied to the world of security.

The podcast covers the events in more detail. (The way she tells the story had me in stitches at moments.)

(We have had a little work with people in the fashion industry, and the mega outgoing personalities really make these some of our favorite jobs. H&M chaos aside, fashion goes hand in hand with New York City.)

via Fashiontribes.com blog

Posted in Off-topic | No Comments »

Security people

Friday, November 11th, 2005

A few days ago, I found myself once again traveling in the wee hours of the morning out to Huntington via the LIRR. This type of trip is normally uneventful and sleepy, but this one sparked some thoughts on security.

I was sitting on the empty floor by the large board listing departures, near the rear of Penn station, watching the people that walked by as I waited for the track of my train to be listed. The station as a whole was mostly empty, and I had the place where I was sitting all to myself. A woman walked by a few times that attracted a bit of up close attention from the workers working and the strange persons lurking, and this attention did not appear to be a good thing, as she looked very uncomfortable. She eyeballed me, and the next thing I knew, she was sitting on the floor right next to me, wearing headphones like the ones I had on, and watching the board as she waited for her train. After that, people just assumed we were together and kept their distance.

The train to Huntington station was quite empty, and there were open seats everywhere. During the long trip, a woman changed her seat for the one arms distance away from me and directly facing me. She eyeballed me, smiled, asked me where I was going, and then curled up on the seat and went to sleep. At one point, a man walked by, peered at her, laughed, and said to me, “Your woman is laid out.” Once again, people just assumed we were together. I woke her when we hit the last stop for that train, Huntington station, and made sure she looked reasonably alert before I went off to meet my ride.

Now, I may be good looking guy (in my humble opinion, at least ;) ), but this was not flirting. I was used for security. Twice I was assessed, determined to be a friend and beneficial instead of a foe or threat, and then used to counter threats and mitigate risks. These people did so without scanning me with metal and chemical detectors, checking my identification, or making me feel harassed. They used their real world experience, applied it to me, my look, and my behavior, and made solid judgments based on the current situations. These are the types of skills necessary for people working in roles such as security screening at airports.

Posted in Security | 1 Comment »

« Older Entries