Monthly Archives: October 2007

Fraud: Fake Zep Tickets on Ebay

ledzeppelin003.jpg Now this is chutzpah:
Although our reporter was not the winning bidder, the seller contacted us and claimed the winner had failed to pay. She then quoted a price of £2,400 and said she would post the tickets to our reporter.

But we had already contacted the winning bidder via Ebay; he told us that he had already transferred £2,414 to the seller’s bank account.

Fraudsters hijack Led Zeppelin concert, Promotor blames Ebay for failing to take down auctions for non-existent tickets,Dinah Greek, Computeract!ve, 30 Oct 2007

Not only are these invalid tickets, but the seller was selling them twice!

-jsq

Better Products Bootstrap

Gunnnar notes the formation of a software vendor security best practices consortium and asks:
Why not bootstrap a Fortune 500 Secure Coding Initiative to drive better products, services and share best practices in the software security space?

Secure Coding Advocacy Group, Gunnar Peterson, 1 Raindrop, 23 October 2007

Yes, if the customers demanded it, that might make some difference, and the vendors do pay the most attention to the biggest customers. Of course the biggest customer is the U.S. government, and they seem more interested in CYA than in actual security. And I’m a bit jaded on “best practices” due to reading Black Swans. But regardless of the specific form of better such a group demanded, demanding better security might make some difference.

Maybe they could also demand risk management, which would including having watchers watching ipsos custodes. Not just in the circular never-ending hamster wheel of death style, but for actual improvemment.

-jsq

Fingerprint False Positives

fingerprint_definition.jpg Not all that glitters is gold:
“Fingerprints, before DNA, were always considered the gold standard of forensic science, and it’s turning out that there’s a lot more tin in that field than gold,” he said. “The public needs to understand that. This judge is declaring, not to mix my metaphors, that the emperor has no clothes.”

Judge bars use of partial prints in murder trial, By Jennifer McMenamin, Sun Reporter, October 23, 2007

The judge did this because of the partial fingerprint false positive linking an Oregon lawyer to the Madrid bombings. Apparently that was only one of twenty false matches in that case. So the judge in this homicide case has ruled that partial fingerprint matches can’t be used as evidence.
At a pretrial hearing in May, prosecutors argued that fingerprint evidence has been accepted by the courts and relied upon for nearly 100 years. Defense attorneys countered that there is no similar history of subjecting the evidence to scientific review.

“The state is correct that fingerprint evidence has been used in criminal cases for almost a century,” Souder, the judge, wrote in her decision. “While that fact is worthy of consideration, it does not prove reliability. For many centuries, perhaps for millennia, humans thought that the earth was flat.”

So if a hundred year old “gold” standard of evidence turns out to be tin, what about all the wide-scan wiretap dragnet evidence that certain governments seem intent on compiling these days?

-jsq

PS: Seen on Bruce Schneier’s blog.

Chinese Firewall Viewed as Vacuum

greatwall.jpg In addition to the Chinese national firewall being used as a Panopticon that encourages self-censorship, other uses are now emerging:
Further to our earlier story on visitors to Google Blogsearch being redirected to Baidu in China, new reports have surfaced that would indicate that China has unilaterally blocked all three major search engines in China and is redirecting all requests to Baidu.

Cyberwar: China Declares War On Western Search Sites, by Duncan Riley, TechCrunch, 18 October 2007

Sort of an involuntary proxy, going somewhere other than where you thought.

Note the distinction between censorship and this new action:

…the redirect to Baidu would indicate an economic motive; if the Chinese Government were serious about censorship alone we would have reports of page not found/ blocked messages, not redirects to Baidu. The Chinese Government is clearly using its censorship regime to the economic benefit of a Chinese owned (but NASDAQ listed) company.
And also remember that there are U.S. government sponsored web panopticon projects. Research so far, or so far as we know.

-jsq

PS: Seen on Dancho Danchev‘s blog.

eCrime Papers Posted

ecrimetitle.gif The APWG eCrime Researchers Summit has released its papers by linking them to its agenda. Lots of interesting stuff there about phishing and website takedown, capture and recapture, password reuse, behavorial reaction, etc.

There were also sessions on getting technology solutions adopted and user education, but those appeared to be panels, and don’t have papers posted.

-jsq

Massachusetts Earthquakes

nequakemap.gif In addition to the possibility of hurricanes (the Long Island Express also went through Massachusetts) and tornadoes, does Massachusetts also need to worry about earthquakes interrupting baseball games?

For the second time this month an earthquake has hit Massachusetts.

NewsCenter 5 received numerous calls from people in the Groton, Westford and Littleton area. Residents said that they heard what sounded like a loud boom or explosion. Some said that they felt their homes shake.

The U.S. Geological Survey confirmed that an earthquake measuring 2.5 hit the region at about 1:30 a.m. Residents in Westford and Littleton also said that they heard rumblings at about 6:05 a.m.

Earthquake Shakes Bay State, Residents In Route 2 Area Report Loud Boom, TheBostonChannel.com, 19 Oct 2007

Like hurricanes and tornadoes, it has happened before:

….a quake that shook Newburyport on Oct. 29, 1727. That was a 5.5 magnitude earthquake that was felt from Maine to Philadelphia.

Bay State Residents Jolted By Ancient Earthquake, Quake Measured 1.8 On Richter Scale, TheBostonChannel.com, 10 Oct 2007

Are earthquakes as likely as tornadoes or hurricanes to cause damage in Massachusetts?

Continue reading

Designing the New York Hurricane

nychurricane.gif Funny how having an unexpected tornado literally in your back yard can make you sensitive to how even a hurricane could happen here. Making Light, based in Brooklyn, has picked up Bruce Sterling’s find of an NYC Post-Disaster Competition and run with it. The competition pages themselves are a wealth of information, for example storm paths and damage estimates for the hurricanes of 1893, 1938 (Long Island Express), 1954 (Carol), 1960 (Donna), 1985 (Gloria), 1991 (Bob), and 1999 (Tropical Storm Floyd). Funny how when you start paying attention, it only could happen here, it has, repeatedly, and could again much worse. Making Light extends on that with numerous bits of information and comments from interested parties, perhaps because

Cripes, I almost feel like I live there.

What if New York City gets socked by a category-3 hurricane? by Patrick Nielsen Hayden, Making Light, 12 October 2007

Echoes of New Orleans are not hard to find:

On the other hand, it takes something on the order of dynamite to get us out of spaces where we’ve resided a long time. My guess is that a lot of people who should leave won’t, but they’ll be very helpful and cooperative about it.

Maybe we all do live there.

-jsq

RIAA Money Pit

RIAA demonstrates how not only to alienate customers by suing them, but to lose money while doing so:

During an occasionally testy cross examination, a Sony executive said what many observers have suspected for a long time. The RIAA’s four-year-old lawsuit campaign is costing the music industry millions of dollars and is a big money-loser for the record labels. The revelation came during the first day of Capitol Records v. Jammie Thomas, the first file-sharing case to go to trial (it was formerly known as Virgin v. Thomas, but the sole Virgin Records track was stricken from the complaint, making Capitol Records the lead plaintiff).

RIAA anti-P2P campaign a real money pit, according to testimony, By Eric Bangeman, ars technica, October 02, 2007 – 11:40PM CT

I don’t quite understand how this is good for anybody, except maybe iTunes. As risk management goes, it’s about as negative as it gets.

-jsq