|
|
|
Click the comments link on any story to see comments or add your own. Subscribe to this blog
|
30 Dec 2009
Someone noted that I am not their target demographic. I guess not. Perhaps I should call up and ask for a larger credit line, anyway. posted at: 01:40 :: permanent link to this entry :: 1 comments Trackback link is http://jl.ly/Money/freexmas.trackback 16 Dec 2009
A few weeks ago
I blogged about some credit card
checks that Capital One sent, with terms that appeared to offer free
money.
I wrote myself a check for ten grand, and deposited it in the bank to
see what would happen.
posted at: 01:21 :: permanent link to this entry :: 6 comments Trackback link is http://jl.ly/Money/capone3.trackback 04 Dec 2009
In a recent discussion among mail system managers, we learned that one of the large spam filter providers now has an option to reject all mail from ESPs (e-mail service providers, outsourced bulk mailers) regardless of opt-in, opt-out, spam complaints, or anything else, just block it all. Some of the ESPs wondered what would drive people to do that. We are bombarded by ads from the moment we get up until the moment we go to sleep. There's ads on the radio, ads on TV, ads in the newspaper, ads on billboards, ads on the bus, ads on the fricking steps in the NYC subway. In my physical mailbox, where I used to throw away about one worthless little newspaper full of ads a week, now it's one or two a day. The reality is that recipients do not care if they get the vast majority of what ESPs send. Even if we might have at one point checked the box to get Valuable Offers for More Fabulous Products Like This, now it's just more stuff in the gusher of ads. If there's a button to push to make their inboxes an ad-free zone, it really shouldn't come as a surprise that people push it. For the minority of stuff that people do want, like the daily headlines from newspapers, or perhaps the weekly roundup of cheap plane fares, there's better ways to get them than e-mail. An RSS or Twitter feed is entirely under the recipient's control, meaning that no sleazy marketing manager can try to shove his messages to the top of My Yahoo, or to insert his feed if I didn't ask for it. If I lose interest and unsubscribe, it is gone instantly, permanently, and reliably. If I were a mail manager, I would be delighted to push the no-ESP button, then show a few of my users how to set up feeds for the trickle of stuff they really want, because now the management burden is on them, not on me. For ESPs, if there is any argument whatsoever about whether recipients want your mail, you lose. Yes, it's hard to read their minds and only send them what they want, but thats how competent ESPs make the big bucks. (Several mail managers at very large ISPs wrote privately to thank me for my note and wish they had that button, but they asked me not to name them since ESPs are so excitable.) posted at: 16:47 :: permanent link to this entry :: 4 comments Trackback link is http://jl.ly/Email/jmis.trackback 03 Dec 2009
posted at: 01:14 :: permanent link to this entry :: 0 comments Trackback link is http://jl.ly/Money/capone2.trackback 30 Nov 2009
Earlier this year, the New Zealand Department of Internal Affairs, the US Federal Trade Commission, and the Australian CMA broke up a large fake drug spam ring known as Herbal Kings, run by New Zealander Lance Atkinson. The NZ government fined him NZ$108,000 (about US$80,000) which, while a substantial fine, seemed pretty small compared to the amount of money he must have made. But today, at the FTC's request a US judge fined Atkinson US$15.5 million, and got his US accomplice Jody Smith to turn over $800,000, including over $500,000 in an Israeli bank. This is the largest spam fine I'm aware of, and the $500,000 is one of the largest international recoveries. Atkinson hasn't paid the $15M, but since he is in jail, it seems reasonably likely that the various governments will be able to track down his assets by the time he gets out. Spammers are in it for the money, and to the extent they can keep what they get, they'll keep spamming. Fines that wipe out the profits, and in particular fines that can actually be collected are essential if we're going to make any progress against spam. Fortunately for the FTC, Herbal King's spam was sloppy, with faked headers and broken opt-out links, which are among the few things that the weak CAN SPAM law forbids. If the spammers had been more careful, the fake drugs would still be illegal, but it would have been harder to prosecute them in the US since CAN SPAM wouldn't have applied. You can read the NZ release on the CAUCE web site and the FTC release on the FTC's web site. I assisted the NZ government as a technical expert, providing advice to the court explaining how Atkinson's actions matched what the law forbids. posted at: 12:40 :: permanent link to this entry :: 0 comments Trackback link is http://jl.ly/Email/fifteenmil.trackback
posted at: 01:06 :: permanent link to this entry :: 1 comments Trackback link is http://jl.ly/Money/capone.trackback 19 Nov 2009
ICANN has opened their new fast track process for "countries and territories that use languages based on scripts other than Latin" to get domain names that identify the country or territory in its own language. It's not clear to me what the policy is supposed to be for countries whose languages use extended Latin with accents and other marks that aren't in the ASCII set. Any country that uses an extended Latin character set can use extended characters in 2LDs right now, and I can't offhand think of any whose current unaccented two-letter ccTLD isn't an adequate mnemonic for their name. But let's say that Serbia feels that .RS is kind of lame, so they apply for and get .Србија which is perfectly reasonable, since that's the Cyrillic character set. Then Romania decides that .RO is too generic, so they ask for .România with the circumflex over the â, as it is properly spelled in Romanian. That's an IDN, so how can they say no? Hey, say the Hungarians, they got their country names, we want .Magyar. Oh, no, that's ASCII, that will be $185,000 and a highly uncertain multi-year process. Really? posted at: 01:16 :: permanent link to this entry :: 2 comments Trackback link is http://jl.ly/ICANN/nonlatin.trackback 09 Nov 2009
At its recent meeting in Seoul ICANN announced with great fanfare that it's getting ever closer to adding lots of new Top Level Domains (TLDs). Despite all the hype, as I have argued before, new TLDs will make little difference. There are two mostly separate kinds of new TLDs. One is TLDs for countries in non-ASCII character sets, known as IDNs. They're much less controversial, and ICANN will soon issue at least a few politically expedient ones like .中国 with the name in Chinese which would be equivalent to .CN. This is the only real TLD problem, it was waiting for technical specs and implementation (not from ICANN), but that is now largely done. The controversial issue is domains with random new names, gTLDs. I agree with my old friend Lauren Weinstein that this is a tempest in a very expensive teapot, because all of the purported reasons that people want new TLDs have been proven false, and the one actual reason that a new TLD would be valuable has no public benefit.posted at: 00:31 :: permanent link to this entry :: 4 comments Trackback link is http://jl.ly/ICANN/teapot.trackback 07 Nov 2009
posted at: 10:28 :: permanent link to this entry :: 8 comments Trackback link is http://jl.ly/Money/securetrans.trackback 25 Oct 2009
(Thanks to Chris Lewis for permission to adapt this) Everyone who uses e-mail needs spam filtering, and some filters definitely work better than others. Some people we know were trying to design tests of filter quality, which turns out to be extremely difficult. What one might call 'filtering quality' assessment, should be the very very last step after "does it have the features I want?", "does it install/is it supported/supportable?", "does it crash?", "does it make lots of stupid mistakes?", "is it likely going to compare favorably with what we already have?". You have to do the latter before the former. The latter is relatively easy. The former is what people keep asking about, and is the really really hard part to do right.posted at: 00:24 :: permanent link to this entry :: 0 comments Trackback link is http://jl.ly/Email/filtertest.trackback 21 Aug 2009
On Wednesday, Project Honey Pot filed an unusual lawsuit against "John Does stealing money from US businesses through unauthorized electronic transfers made possible by computer viruses transmitted in spam." Their attorney is Jon Praed of the Internet Law Group, who is one of the most experienced anti-spam lawyers around, with whom I have worked in the past. The goal of this suit is to identify the criminals behind a vast amount of theft through the ACH, the Automated Clearing House that handles direct deposits and electronic payments in the US. The pattern is that the bad guys install malware on the PC of company financial officers, and use it to make ACH transfers to money mules who then wire it out of the country. Although the primary target of this suit is the crooks, an equally important subsidiary target is banks, who have consistently stonewalled attempts to learn about the extent of the losses the details of the scam, and what the banks are doing to deter it. Bank stonewalling is not a new problem. Adam Brower wrote about his experience with one of them: I can supply some perspective from my own experience. I noticed the article today, too, and spent some time nodding my head and clucking over my morning coffee. For nearly a year, two years ago, I made it my personal mission to convince just one bank to aggressively pursue just one phisher. I did this, by the way, not as a representative of any anti-spam project, but as a citizen. I encountered the expected silence from a majority of the executives with whom I attempted to establish contact. From a very few others, I received polite thanks for my interest, advice to contact LEO, and from two of them, invitations to open accounts! After months of such wheel-spinning, a door seemed to open. I received a thoughtful reply from a mid-level executive at a major New York-based bank. We exchanged emails for three weeks. After he accepted my very weak bona fides (I am, after all, far from expert in these matters, my sole strengths being doggedness and an occasional way with language) I sent him links to the wealth of investigative data available on the web, samples of phishing spam targeting his institution, background info on the rockphish phishing package Et al., and he lapped it up. I was astounded that so much of this was apparently news to a man in his position. We spoke on the phone three times, each time ending with agreement that the bank's enormous resources could and should be brought to bear against the crooks who were victimizing its customers and costing it unreported millions in losses each year. During the last call, he informed me that he intended to whiteboard, at a coming meeting, the entire body of stuff I had sent him, and to propose forming an internal task force to gather evidence against the malefactors and to contact and interface with LEO. Naif that I was, I was surprised when he hinted that there was institutional reticence when it came to providing reports of compromises to LEO. It's obvious to me now that the last thing in the world a big bank wants announced is the scale of their losses in this context, or the number of intrusions, but he seemed determined to stir the pot. Subsequently, two weeks passed without a word. Email went unanswered. One day I called the office number on which we had spoken earlier. I was informed that Mr. Doe had left the firm. later, when I tried again, I was told that no-one by that name had ever worked there. Whether our conversations and his (supposed) departure were connected, who knows? Maybe he just decided to take his golden parachute, but it certainly could read like something from a Ludlum novel. posted at: 16:23 :: permanent link to this entry :: 0 comments Trackback link is http://jl.ly/Email/badbank.trackback 16 Aug 2009
Phishing is when bad guys try to impersonate a trusted organization, so they can steal your credentials. Typically they'll send you a fake e-mail that appears to be from a bank, with a link to a fake website that also looks like the bank. Malware offers another more insidious way to steal your credentials, by running unwanted code on your computer that watches the keystrokes you type, the mouse clicks you make, and the windows that appear on your screen, sends them back to bad guy HQ, and even adds or substitutes its own keystrokes and mouse clicks in a way that you can't easily detect. I like Verisign's characterization of this kind of malware as an insecure endpoint, the PC which is the endpoint of the conversation with the bank isn't actually under the control of the person who's using it. There's no question that straight phishes and malware are different problems, but they attack the same customers toward the same ends, and a lot of popular security strategies like those keyfob tokens that generate a different random number every minute are equally ineffective against both. There's also some overlap in implementation, e.g. phishes that direct you to a website that downloads malware. We can usefully distiguish between offline and online attacks. An offline attack steals credentials for use later, while an online attack sits between you and the bank and does bad stuff in a session after you set it up. Offline attacks are deterred by changing the credentials from one session to the next. The keyfob is one expensive way to do it, but there are others. Most of my non-US bank accounts have two passwords where the bank only asks me for three randomly chosen letters of the second password each time I log in. I gather some European banks send their customers a printed list of one-time passwords, and you use one and cross it out each time you log in. None of these are effective against online attacks, since the bad guys have a proxy that asks you the real questions from the bank and passes back your real answers, setting up a real session The problem is that there's an insecure endpoint, either a malware infected PC on your desk, or the proxy which you think is the bank and the bank thinks is you. The solution either way is to switch to a secure endpoint. That's why I have suggested a hardware USB confirmation dongle with a screen and YES/NO buttons, where you set up the transaction on the insecure PC but the dongle has an encrypted connection to the bank. so the display on its screen and your push of the YES or NO button are secure. Another possibility is a confirmation phone call to a phone which is physically separate from your PC, where it reads you the transaction, and you press 1 for yes or 2 for no. (Attention Users! Do not use a softphone on your PC for confirmations!) It seems to me that although the details are different, the fundamental problems and solutions are very similar, so it makes sense to consider them together. posted at: 22:46 :: permanent link to this entry :: 2 comments Trackback link is http://jl.ly/Email/malphish.trackback 08 Aug 2009
In a discussion about a recent denial of service attack against Twitter, someone asked Some class of suppliers must be making money off of the weaknesses. Anybody out there have a prescription for the cure? Sure, but you're not going to like it.posted at: 23:32 :: permanent link to this entry :: 1 comments Trackback link is http://jl.ly/cheap.trackback 11 Jul 2009
posted at: 19:48 :: permanent link to this entry :: 0 comments Trackback link is http://jl.ly/ICANN/vrsncom.trackback 05 Jul 2009
posted at: 19:37 :: permanent link to this entry :: 0 comments Trackback link is http://jl.ly/ICANN/cfittrap.trackback 04 Jul 2009
posted at: 21:16 :: permanent link to this entry :: 5 comments Trackback link is http://jl.ly/Email/threemyths.trackback 02 Jul 2009
posted at: 21:59 :: permanent link to this entry :: 2 comments Trackback link is http://jl.ly/ICANN/whoneeds2.trackback 01 Jul 2009
posted at: 19:58 :: permanent link to this entry :: 0 comments Trackback link is http://jl.ly/ICANN/whoneedstlds.trackback 05 Jun 2009
posted at: 18:47 :: permanent link to this entry :: 0 comments Trackback link is http://jl.ly/ICANN/cfit.trackback 04 Jun 2009
posted at: 20:07 :: permanent link to this entry :: 3 comments Trackback link is http://jl.ly/Email/phight.trackback 15 May 2009
![[A triskelion]](http://www.johnlevine.com/tris.png)
I got a note from a college friend via Facebook yesterday, telling me
about the clever 282.im domain. Gee, it looked just like Facebook, like,
you know,
a
phish. Uh oh.
posted at: 07:21 :: permanent link to this entry :: 0 comments Trackback link is http://jl.ly/ICANN/manx.trackback 06 May 2009
posted at: 17:33 :: permanent link to this entry :: 1 comments Trackback link is http://jl.ly/ICANN/redding.trackback 24 Apr 2009
Press reports say that the Canadian government introduced an anti-spam bill in the House of Commons today. I haven't had a chance to read it yet, but since it's reportedly based on the recommendations in the report from 2005 task force, of which I was a member, signs are encouraging. I'll write more once I've had a change to digest it. posted at: 17:27 :: permanent link to this entry :: 1 comments Trackback link is http://jl.ly/Email/c27a.trackback 31 Mar 2009
Last September the Virginia Supreme Court issued a surprise ruling that reversed its previous decision and threw out the state's anti-spam law on First Amendment grounds. The Commonwealth made a last ditch appeal to the US Supreme Court, which I predicted they'd be unlikely to accept. I guessed right, they turned it down yesterday, meaning the case is finally over. Due to the peculiar facts and history of this case, the decision would be unlikely ever to affect anyone other than Jaynes, and he's still in jail on other charges, so in the big picture it's just a blip. I thought the VA legislature had already passed a revised law that fixed the first amendment problem, but apparently not, since the state Attorney General says he's drafting a new law for next year's session. Even that's not all that important, since state laws are tightly constrained by CAN SPAM, and can only make things that are already illegal under CAN SPAM more illegal. The most useful difference a state law can make is to leave out the CAN SPAM language about awarding costs which makes a losing CAN SPAM suit potentially very expensive to the plaintiff. posted at: 11:09 :: permanent link to this entry :: 0 comments Trackback link is http://jl.ly/Email/jayneslast.trackback 17 Mar 2009
posted at: 08:32 :: permanent link to this entry :: 2 comments Trackback link is http://jl.ly/Email/dkimdepl.trackback 22 Feb 2009
posted at: 12:32 :: permanent link to this entry :: 0 comments Trackback link is http://jl.ly/Copyright_Law/kindle2.trackback 03 Feb 2009
The large variance to budget is due to investment losses of $4.6 mil.Investment losses? Yup, ICANN's been speculating in the stock market, and has lost $4.6 million, or to put it in concrete terms, the 20 cent fee from 23 million domain registrations. posted at: 18:44 :: permanent link to this entry :: 0 comments Trackback link is http://jl.ly/ICANN/icannspec.trackback 24 Jan 2009
A friend asked: Apparently the mortgage holders today are not the loan originators and therefore have little incentive to deal, or should I say workout, one-one with consumers. Can [someone] provide some comments on workout to help clarify the concept?Workouts are a normal part of bank lending, because foreclosing (or the equivalent) is very expensive, and the bank is often better off agreeing to a smaller or longer loan and actually getting paid. posted at: 13:40 :: permanent link to this entry :: 0 comments Trackback link is http://jl.ly/Money/workout.trackback 02 Jan 2009
An acquaintance wondered why the people who run the systems that receive mail get to make all the rules about what gets delivered. After all, he noted: The sender pays for bandwidth and agrees to abide by the bandwidth provider's rules.posted at: 22:21 :: permanent link to this entry :: 3 comments Trackback link is http://jl.ly/Email/whopays.trackback |
Topics
My other sitesOther blogsCAUCE Box of Meat A keen grasp of the obvious Related sitesCoalition Against Unsolicited Commercial E-mail
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
© 2005-2011 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will
not give, sell, or otherwise transfer addresses maintained by this
website to any other party for the purposes of initiating, or enabling
others to initiate, electronic mail messages.
![[Valid RSS]](http://www.taugh.com/valid-rss.png "Validate my RSS feed"){kind=small}
It's coming up on the date when I'll pay back my first $10K loan of free
money, so what did my pals at Capital One do? Send me a stern note saying
I'm misusing the checks? Cut my credit limit? Heck, no, they sent me a
little booklet with more no-fee checks so I can keep going at least
through March.