If you tell enough stories, perhaps the moral will show up.


Spam Counter - 2008 November: 852

This month's drop is the the famous McColo effect. It'll be interesting to see how a whole month without McColo looks on 12/12.
The content seems the same as ever.
Two interesting papers about email-delivered nuisances: spam and phishing. Each offers methodologies which finally give realistic estimates for the return from penis spam and phishing. Both agree there's very little profit in it -- mugs and losers are, after all, a limited resource. Which is nice.


Chinese Hackers are Real, I Tell You...

... And they're planning to flood the world with cheap telephones.

Al sits close to the Head of IT -- a position that reflects his operational centrality, and the affection in which he is held. But he came to me with a puzzle about his Hotmail. It seemed that he'd managed to send himself, and all his contacts, an email advertising http://www.feixiangyu.com -- an electrical distributor.
Well, we looked at things like his spam folder, and whether it was just in fact a particularly artful non-delivery notice. But soon he had replies from his contacts congratulating him on his new business venture.....
Now the beauty of Hotmail is that it's easy to attribute. The X-Originating-IP header gives just that -- the IP address of the originating computer, which is the IP that Hotmail saw as the browser that "got" (GETed?) the send links. This one was and Sam Spade plumps that in the middle of the Middle Kingdom. The ISP is Chinanet, and the PoP is Zhengzhou -- capital of Henan, a respectful distance from the Yellow River -- seven million people in a few square miles, and at least one dodgy marketing guy.
On the whole, I'd rather be hacked by Chinese shopkeepers than the Russian Mafia -- you're less likely to have your bank account emptied. I told Al to change his passwords, check his bank statement, and run an online AV check on his home PC. I sure hope that shows something, otherwise I'm going to have to wonder whether it happened on his office machine, and that's something I just don't want....


Microclimate (2)

A nice strong frosty morning. When the train went into Sevenoaks tunnel, the double-glazed windows were clear, but when it came out, they were obscured by condensation -- on the outside.

I guess it takes a while for the roots of the North Downs to cool.


Solving the Wrong Problem (a different one)

Now, listen. Encryption is probably not the solution to your problem. We hear a lot about encryption these days and it seems to be widely imagined as the solution to a problem, or a reason why it's not a problem: "it was encrypted", "we'd better encrypt that". Keep an ear cocked for that sort of thinking, because it is the sounds of someone making a mistake. Encryption doesn't solve any problem, not even access control problems. It replaces access control with a smaller, tougher issue: Key Management. Whether that helps at all depends on the situation. It's late and I'm tired so I'll cut through and state the facts. Encyption only helps when the key management problem can be solved, and the key management problem can only be solved in strict binary situations: When you can cast the problem in terms "everyone in this group gets full access without per-user auditing and no-one else gets anything" then maybe you could try encryption:

  • Access for a single person against the whole world -- keeping personal secrets
  • The same plan for a group small enough to maintain perfect mutual trust. Some of us feel that the maximum size for such a group is one.
  • Shared channel against the world: the VPN and encrypted device
It's Us (or rather Me) and Them. If you have any other problem, don't bother with encryption.


Voter Insecurity

It hardly matters, but on the whole, and despite even Sarah Palin, I somewhat prefer the idea of President McCain. The other guy is just so -- well -- young. As well as being a lifetime politician.

If McCain loses, well, that's just what the polls were saying. It's easy to accept unsurprising results.

But if he wins, I won't know what to think. The trouble I have is that I just don't believe in the integrity of the US voting system. Why do you need a machine to vote with? It seems as though the sole purpose is to create opportunities to bugger it up, with ballot layouts designed to fit around punch cards, more-or-less functional touch screens and the Dear knows what else.

It seems that some counties actually have voting machines where the votes only exist as totals on a CF card. That's OK for money: You can audit against the books of first entry. But ballot papers -- the petty cash slips of the political world -- are just missing from conventional PC based voting machines.

So I'm hoping for a landslide, because I don't think the USA needs another argument about who truly won.


The Angry Cyberwarrior

All over the world, we are told, war departments cosset their lists of unpublished vulnerabilities, kept in reserve to get into enemy systems. If that's true, there must have been more than one outburst of tantrums and glum looks when MS published MS08-067. It's a splendid vulnerability and one that would have saved a lot of social engineering and spying.

Now it's worthless.

Spam Counter - 2008 October: 1387

No real change. Penis pills and Russian ladies: Olga and TatianaG want to meet me?