You've Got to Be Kidding
Computer people are sometimes accused of having no sense of humor. The truth is they are very funny, but don't realize it. For 14 months (August 2002 - October 2003), You've Got To Be Kidding highlighted a news story illustrating droll computer humor. You can visit the listed media sources for details.
This is a free, pro bono service. If you enjoy it, check out Bill's novel.
Can you imagine naming your organization the Department of Justice? Whoa. Any organization capable of such presumption surely could rise to other equally breathtaking acts. One needs only watch and wait. In October, folks who’d been watching and waiting saw the Justice Department respond to a Freedom of Information Act (FOIA) request by posting to its web site a report on internal workplace diversity. Vast portions of the text had been blacked out, to hide information the department did not want released.
Several days later, as Kevin Poulsen of SecurityFocus reported in The Register, the full report--minus the opaque black rectangles--appeared on another web site. “It turns out the report began its life as a Microsoft Word document, and whoever was in charge of sanitizing it for public release did so by using Word’s highlight tool, with the highlight color set to black.” That Word document was then posted in Adobe's Portable Document File (PDF) format. Apparently the department presumed curious citizens could not crack the PDF file open and tinker with the blacked-out text. Bad presumption. Turns out such reverse engineering is not only possible, it’s easy, if you know what you’re doing, which explains the department’s gaffe. Turns out also that department sanitizers appear to have gotten carried away with their black highlighter and excised far more than they were allowed by law to withhold, such as the fact that department attorneys perceive racial harassment to be a problem. A Justice Department spokesman tried to comment on the story, but his words were muffled by black tape over his mouth.
Spam plumbed new depths with the note that advertised, “Spy on Anyone by sending them an E-Greeting Card!” Below the graphic, large type directed the recipient to “Click here.” Right. A firm that claims to surreptitiously install spyware when someone clicks through to their e-cards tells you to click through to their site for information. A snippet of dialogue comes to mind.
What might spyware do? I did not click through to find out. It’s certainly possible for spyware to record every keystroke on the target machine, package them up, and spirit them away. Heck, it could also record what’s said in the vicinity of the target computer. And if the target has a web cam… Well. See you later.
A coworker received the following email note over the Internet. “Important notice. We have just charged your credit card for money laundry service in amount of $234.65 (because you are either child pornography webmaster or deal with dirty money, which require us to layndry them and then send to your checking account). If you feel this transaction was made by our mistake, please press ‘No’. If you confirm this transaction, please press ‘Yes’ and fill in the form below.” The form asked for your credit card number and expiration date.
Another coworker received a note from the same company (Fethard) with the subject line, “Money Laundry Solutions from Fethard.biz.” The note was forthright: “Are you in the business of child pornography and have difficulties with transferring money from one point to another? Are you tired of edless taxes? Are you tired of ‘antilaundring’ programs in your bank? Is your onlne business in shadow? Do you currently have in your possession illegally earned money and have difficulties placing it into your bank account? Open an account with Fethard Finance today and we guarantee to solve all your problems immediately!!!” Their features are listed, such as currency exchange. “Someone has transfered you US dollars instead of your beloved Nicaragua cordobas? You don't need to kill this person. Just make an exchange at our bank and let this person live.” The note invites visitors http://www.fethard.biz and lists the company address, phone, and fax numbers in Montevideo, Uruguay, along with several names.
The Fethard web site itself features an announcement that these email notes have been “spoofed.” That is, the site says someone else made up the notes and forged the Fethard address. Apparently Fethard turned over information on some of its accounts to the authorities and that act might have ticked off some clientele. The bright side is that money launderers may not be able to spell too well, but at least they appear to have a sense of humor.
Justice is not always poetic but it can be entertaining. Pity the poor porn industry, under attack by a hacker extortionist named “Deepsy.” Noah Shachtman, writing for Wired News, reported the story. It seems Deepsy contacted go****yourself.com (or GFY), the best-known bulletin board for adult webmasters, and said he would cripple the site in twenty minutes unless a GFY webmeister contacted him to “discuss...further instructions.” GFY members disregarded the threat until Deepsy kept his promise by launching an attack that put the site out of commission for hours. He went on to demand $1,500 each from at least three different sites. Some reportedly paid his fee.
Normally one reports such indecent activity to the police, but as one porn site owner said, “It's hard for the adult industries to go to the authorities.” Yet at least one screwed up his courage and brought in the FBI. According to Shachtman, “Bureau spokesman Bill Murray said the FBI is in the process of determining which law enforcement agency is best equipped to handle the case.” One can envision the agents’ sober discussions on this matter. On the other hand, Luke Ford, author of A History of X: 100 Years of Sex in Film, wrote in an email that “Deepsy should be worried for his life. Some of these Internet players would kill over matters like this.” A GFY member added, “I'll gladly have someone take care of things. ****ing blackmailing ****face must die.” He did not use a smiley-face emoticon.
The story broke on multiple fronts—Benetton, the Italian retailer, planned to put Radio Frequency ID tags in its clothes. The tags would enable Benetton to track clothes from when they’re produced until they’re sold. However, according to RFID Journal, “The chips will remain active even after the products are sold, so they can be used to track returns.” Not to mention track people wearing Benetton clothes. Some pundits speculated about subpoenas for RFID logs, to prove where someone had been. CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) called for a worldwide boycott of Benetton. Meanwhile, the company that makes the chips Benetton planned to use clarified that their tags “have a [self-destruct] feature that enables the retailer to disable the chip once a product has been purchased.” According to Winston Chai and Richard Shim with CNET News, Benetton has not said whether it will disable the tags when items are sold. Where could this lead? Well, the European central bank is considering embedding RFID tags into Euro banknotes by 2005. Seems the new tags, smaller than a grain of sand, can help defend against counterfeiting and money-laundering. One possibility is that the tags would be used only on large bills. No doubt the matter is being closely watched by high-tech pickpockets.
[TaleCatcher™ Exclusive] The email offer came from a site in Russia (rego.regoteam.pp.ru): “Do you want to get rid of your competitors? Or blackmail your boss because he didn't pay you? We can help!”
Regoteam’s specialty is distributed denial of service (DDOS) attacks that drown a target site in traffic, but they’re eager to be helpful in other ways. “Ddos attack on any internet server. We pay admins of irc.icq.com for hosting so our bandwidth is huge and our knowledge of such attacks allows us to fulfil (sic) any requirement. If you are in need of Ddos attacks, or simply looking for specific content for your web site (like child porn or anything weird) - tell us and wi (sic) will give you what you need!”
How incredibly helpful. But isn’t it, well, illegal? Yes, it is, in the U.S. Not in Russia. A colleague of mine (who prefers anonymity) explained. “There is an extensive market for hacker services on the Russian-speaking Internet. Groups and individuals openly offer services in this vein on their public websites (sometimes with fixed price scales for different kinds of attacks), and it is easy to find forums where other individuals seek to hire hackers for electronic intrusions or other online attacks. For them, this is just business.” Welcome to cyberspace, dude.
Office workers at London's Waterloo Station were recently asked a series of questions about security, including: What is your password? Three quarters of the people simply blurted out their passwords. An additional 15 percent tried to hold out but fell victim to trick questions. Only ten percent proved sufficiently security conscious (or unhelpful) to keep their passwords secret. Fat lot of good it did, their colleagues having already sold the store.
This “survey,” as reported by John Leyden in The Register, was conducted by the folks who organized the InfoSecurity Europe 2003 conference. As for office ethics, the “majority of workers (80 per cent) would take confidential information with them when they change jobs and would not keep salary details confidential if they came across them…. Two thirds of workers admitted they had emailed colleagues illicit, unsavory pictures or dirty jokes [with] 91 per cent of men [having sent] unsavory emails compared to only 40 per cent of women.”
What this means is security that depends on users will work about as well as a car with an independent steering wheel on each tire. After all, the annoying thing about vehicles is, they go where you point them.
Clain Anderson of Chapel Hill, N.C., is IBM's director of client security and is scheduled next month in Miami to give a lecture on “Defending Cyberspace.” Not expected to attend that lecture is Anderson’s 17-year-old son, Loren, who will probably still be in a Long Island jail, charged with grand larceny, identity theft, and criminal possession of a forged instrument. According to Kieran Crowley, writing for the New York Post, the younger Anderson “is accused of masterminding an identity-theft [computer fraud] that was used to illegally withdraw cash from ATMs.” The youth had allegedly run an ATM counterfeiting scheme in North Carolina before moving from his family's home to Long Island, where he rented a $2,300-a-month luxury garden apartment. “Asked how it felt, as a computer security executive, to have his own son arrested for computer fraud, [the elder Anderson] replied, ‘I have no comment.’”
There seems little doubt that Stefan Puffer hacked into the Harris County district clerk's wireless computer system. In fact, as reported by Rosanna Ruiz of the Houston Chronicle, “One breach occurred…when Puffer showed clerk's office officials and a Houston Chronicle reporter how he was able to break into the system using his laptop, a computer program and a phone card.” The reporter did what reporters do—published an article in the Chronicle. The justice officials did what justice officials do—charged Puffer with “two counts of unauthorized access into a protected computer system and unauthorized access of a computer system used in justice administration.” Jurors took “about fifteen minutes” to acquit Puffer. According to Puffer’s attorney, “‘throughout the trial we proved…the county had their wireless butt out….’” Ruiz reported that, during the trial, “an FBI agent testified that Puffer asked during questioning what punishment he faced if he was found guilty. The [Federal prosecutor] interpreted the question as an admission of guilt.” For the record, Puffer faced up to five years in federal prison for every count.
Margery Williams told the classic tale of a cast-off velveteen rabbit that was found by the nursery magic Fairy and made real. Consider, then, discarded hard drives, cast off by their owners. MIT graduate students Simson Garfinkel and Abhi Shelat bought 158 used hard drives from secondhand computer stores and eBay. The two students published an article in the journal IEEE Security & Privacy, reporting what they found on the drives: medical correspondence, love letters, pornography. One had 5,000 credit card numbers. Another had a year's worth of ATM transactions and account numbers. Clearly, secondhand drives can live again and bring great joy to their new owners. Justin Pope, writing for The Associated Press, tells how Garfinkel became interested in the topic. “As an undergrad at MIT in the 1980s, he failed to sanitize his own hard drive before returning a computer to his father, who was able to read his personal journal.”
A twelve-year-old boy told BBC Radio how he could make an email appear
as if it came from TonyBlair@Labour.gov.uk. Robert Uhlig of The Telegraph
reported that “Using software freely available on the Internet,
the boy, known only as Tommy, exposed a loophole in the Government's email
system that could compromise national security.” The boy used a
hacker technique called email spoofing.
The official Iraqi government Web site at uruklink.net/iraq allows visitors to send email to Saddam Hussein. Brian McWilliams stumbled onto a way to check Saddam’s mail. McWilliams, based in Durham, NH, is a freelance journalist who writes on Internet security. He guessed the password for Saddam’s account and downloaded over 1,000 messages. The story was published in Wired News Online and the International Herald Tribune and distributed by the Associated Press.
Saddam’s mail revealed American generosity, such as the California CEO who requested a meeting to discuss "exporting of rich technology aboard." The company claimed to have technology capable of "igniting large sections of the atmosphere." Someone writing from Austria told Saddam that if the United States attacked Iraq, "you need only send a ticket and I will come to Iraq to fight Americans. I am a good shot, and I am serious about my offer." On the other hand, an American who claimed to be a Gulf War veteran wrote, "I deeply regret that a political solution was made before my friends and I had a chance to completely wipe your cartoon character of a leader o(f)f the face of this earth." The American said he would welcome a chance to finish the job; he did not say whether he was from Texas.
You get a cheery email that purports to be from firstname.lastname@example.org
and announces, "You have received an e-card." When you click
on the cartoon graphic, you're taken to surprisecards.net, where you must
accept an "e-card viewer plug-in" to read the card. You accept
the plug-in because it is under the protection of an authentic digital
certificate, which assures the identity of its source.
According to eWeek, "a worldwide team of volunteers, using spare computing power, found the secret key for a message encrypted with the RC5-64 cipher, winning a $10,000 prize and, they say, casting some doubt on the security of messages protected by the cipher." To achieve the feat, 331,252 volunteers banned together to contribute spare processing time on their machines. Over four years, they tried 15,769,938,165,961,326,592 keys before finding the right one. Fortunately, no keys broke in the lock. "The team's organizers said their effort should ... cause people to think twice before using the 64-bit RC5 cipher to encrypt some data," eWeek reported. There was no mention of how the $10,000 prize would be divided among the 331,252 winners.
Several news sources reported that ForensicTec Solutions Inc. had broken
into dozens of government computer systems. According to The Washington
Post, ForensicTec noticed the systems were vulnerable but "continued
examining the systems because they were curious and appalled by how easy
it was." They perused "hundreds of confidential files containing
military procedures, e-mail, Social Security numbers and financial data."
ForensicTec president Brett O'Keeffe said they realized they had found
a serious problem and wanted to help the government. "We could have
easily walked away from it," O'Keeffe told The Post, but added that
his goal was to call attention to the need for better security and "get
some positive exposure." Unfortunately, it is a felony to access
a computer without permission. The day after the stories were published,
about twenty investigators from the FBI, the Army, and NASA descended
on the company and searched its offices. Brett O'Keeffe had no further