Friday 1 June 2007

Zulfikar Ramzan is Correct About Phishing

Zully is right on in his demolition of Mikko Hypponen's idea for a ".bank" TLD.

Writing on Symantec's Security Response weblog, he basically urinates all over Mikko's plan (although he's a lot more diplomatic than that). Some choice cuts:
Phishers don’t have to use the .bank extension and most users will fail to notice ... if you look at almost every phishing site these days, the URL itself is a blatant giveaway that you’re not at an authentic site
The proposal will also lull users into a false sense of security for a number of reasons ... The bad guys may still be able to get .bank domains ... won’t stop phishing attacks that exploit cross-site scripting vulnerabilities ... Browsers are sometimes susceptible to address-bar overlay vulnerabilities. [read more]
Or, to put it another way, the problem with this proposal is that roughly half the population have below-average intelligence (hat tip: APHC).

Sure, it's easy to be a critic, but such ideas just waste energy that could be ploughed into useful furrows, such as DKIM and domain-level reputation.

See also: BofA Sitekey, Yahoo! Signin Seal, etc., etc.

Thursday 31 May 2007

Soloway Arrested

I guess it's OK to call Robert Soloway a spammer -- he's already been convicted in U.S. civil charges of spamming in 2003.

This time though, he's been arrested on criminal charges, brought by the FTC. The list of laws he's alleged to have broken is extensive:
  • 10 counts of mail fraud
  • 5 counts of wire fraud
  • 5 counts of identity theft (aggravated)
  • 13 counts of money laundering
  • 2 counts of email fraud (the only counts related to the CAN-SPAM Act)
If convicted, the possible penalties add up to a very long time in jail. Aunty Beeb thinks 65 years, but that estimate might be on the high side...

Assuming that he didn't give up spamming in 2003, his arrest (so far without bail) should at the very least cause less spam to be sent (i.e. the spam that would have been sent by him while he's under arrest). If he gets jail time, so much the better.

So far, all the high profile civil spammer convictions have involved fines, with the exception of Jeremy Jaynes. These fines seem on the face of it to be large, but in comparison with the money earned by successful spammers, not so much.

While those convictions increased spammers' fear of getting caught, they also served to publicize the amounts that successful spammers can make -- it may have actually encouraged new spammers to enter the game. That's the law of unintended consequences in action.

This is how the law works. Laws encode a society's terms of acceptable behavior. The credible threat of punishment removes the incentive for bad actors to... well... act badly.

The various laws that prohibit spamming just got much more credible.

More: Seattle PI / TechMeme

Palm Foleo: What the UMPC Should Have Been

Lots o'chatter today about Palm's new toy. Sounds to me like what Microsoft's Origami/UMPC should have been: light, focussed, inexpensive, instant-on.

Most criticism boils down to, "It's not a full-featured Windows laptop." Well, duh!

Let's see: Ultra-light / Inexpensive / Full-featured -- Choose any two.

In many ways, it tries to solve the same problems as the Nokia 770/N800 line -- but in a more conventional form-factor (i.e., it has a keyboard). Hopefully Palm can encourage a lively developer community at least as strong as Maemo's.

Update: here's Palm's Jeff Hawkins showing off his new baby:

Tuesday 29 May 2007

Yak 9B Almost Crashes at Airshow

Ouch. Egg meet face.

Here, for your delectation is the luckiest stunt pilot in the world.

Video hosted at

Hat tip: Sulako.