Ever get the feeling you're being watched?

You’re not paranoid.  Click here.

 

Alex Eckelberry 

Using alt character sets to bypass AV programs

We’re checking into this ourselves.  A number of antivirus programs apparently do not scan file names that contact non-printable ASCII characters. Link here.

Alex

 

Rootkit resources

Eric Howes, who consults with us on spyware issues, writes this about rootkits:

Windows rootkits are malicious programs that use some fancy low-level programming tricks to hide themselves and other files and directories from Windows. When a rootkit is running on your machine, you won't be able to see it (or the other files it's hiding) through Windows Explorer. And neither will other standard Windows applications either. They're effectively invisible, even to Windows itself.

Rootkits are attractive and useful to malware, spyware, and adware creators because rootkits can hide malicious files that take control of users' PCs and prevent those files from being easily removed. Spyware and adware authors have been especially aggressive is using rootkits to conceal their software on victims' PCs. The best example is SearchMiracle/Elitebar, which uses a rootkit to hide dozens of files and directories within the Windows directory. Once SearchMiracle/Elitebar is installed, it is very difficult to remove, and users' PCs are deluged with mysterious pop-ups that seem to come from nowhere.

As with other aspects of malware, rootkit creators and anti-malware companies are now in an arms race of sorts, with rootkit creators finding ever more clever ways to hide their code within Windows and anti-malware vendors scrambling to improve their applications to detect these newer breeds of rootkits.

Some links: 

Microsoft Strider Project
(note: contains links to plenty of white papers and such)

Microsoft Rootkit Webcast

News articles
http://www.eweek.com/article2/0,1759,1829744,00.asp
http://www.eweek.com/article2/0,1759,1816972,00.asp
http://www.securityfocus.com/columnists/358
http://www.viruslist.com/en/analysis?pubid=168740859
http://www.eweek.com/article2/0,1895,1841266,00.asp

Anti-rootkit tools for Windows (Note: Most of these are complex programs that require an experienced user).

Blacklight

IceSword

Microsoft - Malicious Software Removal Tool  

RootkitRevealer

UnHackMe

Alex

Um, mmkay, first we consolidate, then we hire the bankers, then an IPO, mmkay?

Criminal gangs getting consolidated.

Now, if the MethHeads get organized, you’ve got Google-sized IPO.

Alex Eckelberry

Microsoft Phishing Filter

If you can handle having the MSN Search Bar in your browser, get the Microsoft anti-phishing toolbar. 

It will also be in IE 7.

 

Spyware: The $24 billion question? No way.

First, we had wild tall tales of the spyware business being a $2 billion industry (the actual amount is closer to $500 million).

Now we have the risk of spyware theft pegged at $24 billion.

John Bambenek at the SANS Internet Storm Center writes that over $24 billion is at risk of theft from spyware in the US. Methodology here. Article here.

John is a highly respectable and sharp guy, but I don’t buy it (and to his defense, his work on this is very preliminary).

The thesis is based heavily on a spyware vendor’s estimate that 7% of machines they surveyed contain “system monitors” that would include keyloggers.

Add in the population out there and the active bank accounts, and you’ve got $24 billion.

I’m sorry.  I don’t buy it.  First, I don’t buy that 7% of the machines out there have keyloggers.  “System monitors” could include a range of programs.  But if I took 100 people and actually found out what they have on their system, I would be very surprised if 7 had keyloggers.

First, there’s SP2.  In just the past few months, we’ve found well over 20 variants of the vicious Winldra.exe keylogger (also known as the dumaru or nibu trojan).  This is the nasty bugger that got all the press a few months back.  Guess what: Not one machine running it had SP2.  They all had older unpatched systems.  It’s darned hard, if not impossible, for these keyloggers to get on your system if you’re running SP2. 

Second, there’s the question of definition.  The vendor in question had a general definition of “System Monitors”, which is “range in capabilities and may record some or all of the following: keystrokes, e-mails, chat room conversations, instant messages, Web sites visited, programs run, time spent on Web sites or using programs, and even usernames and passwords. The information is transmitted via remote access or sent by e-mail. Keyloggers are included in this category of spyware.”

Ok.  So there’s a lot more than just keyloggers in this definition.

You want to see what’s on people’s machines? You can see our live ThreatNet stats which shows what is actually being removed by clicking here.  Of course, this is also unscientific, since it only includes a population of CounterSpy users.

The correct thing to do here would be to get several hundred PCs on an nth sample basis, and actually do a formal audit.  Ignore things like cookies. Find out what’s really on the machines that is real adware/spyware/trojans etc.  And then you can start to develop an accurate thesis.

Alex Eckelberry
Hat tip to Donna

Kazaa says it don't install no spywares!!

hey … Kazaa sez no spywares!!!

Saying “No spyware” is apparently something that Sharman has justified here and here. Sharman has apparently convinced themselves that the definition of Spyware is (drumroll):  a keylogger! 

So Direct Revernue recently did a deal with them.

And now you get Best Offers when installing Kazaa.

So I installed Kazaa and checked the EULA for Best Offers.  Check some of this text out:  

“This software will collect information about websites you access and will use that information to display ads (e.g. pop-ups, search results) on your computer while you surf the web. These adverts are branded with the company name. If you view adult content, the ads may contain adult content.

…the Software may, without any additional notice to you, perform the following: display pop-up ads and various other ad formats of third party advertisers; display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable information regarding your Internet browsing and usage habits; redirect certain URLs, including your browser’s default 404-error page; provide advertisements, links or information in response to search terms you use at third-party websites; provide search functionality or capabilities. The Software generally on average will display less than approximately twenty pop-up ads or other ads in other formats during a twenty-four hour period, subject to your cookies not being erased or cleaned, which would distort our ability to count how many ads we have provided to you.

The ads that the Software provides may contain adult content if the Internet web pages you are viewing contain adult content.

…Best Offers does not require you to provide any personally identifiable information …the Software does collect certain types of non-personally identifiable information about individuals who install and use the Software (e.g., IP host address, pages viewed, browser type, clickstream data, ISP and other non- personally identifiable information). None of the information collected is used by Best Offers to identify you personally. The non-personally identifiable data Best Offers does collect is used to provide you the appropriate ads at the appropriate time, as well as to monitor the performance and distribution of the Software.

 

Additionally, we may share non-personally identifiable, aggregated information with our business partners solely in connection with the provision of services to each other. The use and collection of your information by the Software is in accordance with Best Offers’ privacy policy located at www.bestoffersnetworks.com/privacy.php and is incorporated as part of this Agreement...”

 

So, hmm… we’re getting your IP address and your pages viewed and we’re not spyware since it’s not personally identifiable.  Ok, whatever, another discussion.

 

But then check out this little freakazoid:

 

“…There are third parties who are unaffiliated with Best Offers and who may in the future, attempt to install applications or functions onto your computer without first obtaining your consent, or who may have already done so. Some of these third parties may attempt to install a virus, worm, trojan horse and/or other malicious and unwanted agent onto your computer. In order to ensure the safety of your computer, Best Offers may remove the virus, worm or trojan horse from your computer.

 

These third parties may also attempt to insert particular domain names into your browser's list of "trusted sites," make host file changes or manipulate your network communication functionality without first obtaining your consent. By doing so, such third parties may obtain access to your computer as a means to install unwanted or damaging components on your computer.

 

You understand and agree that Best Offers may flush the list of all trusted sites in your browser from time to time. Thereafter, you may need to re-designate as trusted sites certain web sites that you had previously designated as trusted sites. Best Offers believes this a benefit to you because it enhances the security of your computer and provides you with the ability to choose whether or not to install certain components on your computer.

 

Some third parties may attempt to disrupt network communications to and from your computer to Best Offers’ servers. This may include the manipulation of either your DNS configuration, or your computer's host file. If Best Offers believes that a third party is impeding your network communications, we reserve the right to correct the conflict in order to preserve proper communication.”

Wow.

Alex Eckelberry

 

Sunbelt hype on HIPAA and spyware

From our propaganda department.  Link here.

Alex Eckelberry

 

Anonymity on the 'Net: Is it a Good Thing?

Deb Shinder wrote this in our WXPNews newsletter.

By the way, it’s a heck of a good newsletter, and I would highly recommend subscribing to it.

For many, the Internet is a "place" in cyberspace where they can shed their day to day to identities and be whomever or whatever they want to be. According to the old cartoon, "on the 'net, nobody knows you're a dog." And nobody knows, unless you tell them, whether you're young or old, male or female, black or white, married or unmarried. This carries with it the potential for getting jobs or making friendships without any of the preconceived prejudices that go with dealing with people in the "real" world. It also carries with it a lot of dangers and temptations.

As a technical writer, I do most of my work over the Internet. I have long term business relationships with people I've never met in person. In hiring me for a writing gig, nobody cares whether I'm a pert young pipsqueak or a dottering old lady (I'm actually somewhere in between). They're only concerned about whether I can write the articles and be relied upon to get them in on time.

My husband and I met and got to know one another online before we ever got together in person. We each found out what the other was like on the inside before dealing with physical issues. It seems to have worked pretty well, we're still together after more than a decade of marriage.

However, the anonymous aspect of Internet communications has its dark side, too. I know people who use it to escape from their own realities, who create whole new personas that they don when they go online. Some say this is a healthy outlet, but I'm not so sure. One thing I do know is that other people, who believe these imposters' stories, sometimes end up getting hurt. I've known more than one friend who thought he/she had met the love of his/her life on the 'Net, only to find out that to the other person, it was all a joke. In some cases, the "beloved" had lied about marital status, job, age, looks, even gender.

But it's not just in matters of romance that 'Net anonymity can cause problems. It also makes it easy for someone to smear another's reputation without the victim ever having a chance to face his/her accuser or even know what provoked the smear campaign. Subtle innuendos or wild accusations against public figures get circulated widely with no original source (or a false one) given. And strangers who are upset by something you say on a mailing list, on a discussion board or on your Web site can set out to systematically destroy your reputation and credibility.

This is annoying and frustrating when it happens on a personal level. When the person with a grudge decides to try to damage your career, it's absolutely infuriating. I write regular monthly articles on network security issues for a Web publication. Like many tech sites, this one solicits feedback from readers, in the form of a ranking system where each reader gives each article a rating from 1 (poorest) to 5 (best).

My articles have generally pulled in rankings between 3.5 to 5. Recently, however, I noticed that my latest article had a ranking of 1.3. Wow, I thought, I'd better go back and reread that. What had I said to deserve such a low score? Had I made some gigantic technical error? Had I worded something in such a way as to inadvertently be offensive? I couldn't find any such gaffes upon reviewing the article, but then I noticed that the low score was based on almost 200 votes. Now that was strange - the article had only been posted for a couple of days, and the usual pattern is about 20 votes of the course of 3 months or more.

I went back and started looking at my previous articles on this site - and found that almost all of them had hundreds of votes and their rankings, previously averaging around 4, had all fallen into the 1s. Then I took a look at the voting system itself. The site owners had created a mechanism designed to discourage voting more than once. The purpose, I assumed, was to keep authors from giving themselves a bunch of 5s to increase their own rankings. But as I played with the system, I discovered that the "one vote" mechanism was based on cookies. To defeat it, all you had to do was clear your browser each time and you could vote as many times as you wanted.

I looked at the articles of other authors on the site and discovered that their ranking still followed the old pattern - each article had only 20-30 votes total after being posted for several months. It seemed pretty obvious that someone had mounted a targeted effort to lower the rankings on all of my articles. Who? Why? I have no idea. The site owners saw the pattern, too, and removed the bogus ratings, but the person who did this is free to do it again, to me or someone else.

Of course, the most popular abuse of anonymity on the 'net is in the form of spam. For that reason, identity authentication solutions such as the Sender Policy Framework (SPF) and Microsoft's Sender ID have been developed. If these systems become widespread, it would be much more difficult to send e-mail anonymously - or at least, to get it through to most recipients.

Of course, it wouldn't address anonymity in chatrooms or when posting to Web sites. However, some have proposed broader based authentication systems that would assign everyone user credentials, which would be required to access the 'Net through any computer. This would eliminate the ability to get around present identification systems such as IP address tracking by using public computers in libraries, Internet caf�s, etc. It's a long way from becoming reality, but if Internet users continue to abuse the 'Net's anonymity features, it will probably be a part of the Internet of the future.

Of course, this solution poses its own concerns. Will free speech be stifled if we all know that every opinion or question we post electronically can be traced back to us? Or will such accountability just deter people from saying things on the 'Net that they shouldn't have been saying in the first place? Is someone who won't sign his/her name just a coward? Or are there legitimate reasons to disguise your identity?

What do you think? Should we have a way to track and identify everyone who posts on a Web site, sends e-mail, engages in online chat or otherwise communicates over the network? Or should people have the right to hide their identities if they want to? Let us know your opinions (anonymously or not) by emailing me.

Deb Shinder

Another sleazy site

Adam, one of our researchers, got this link through a Messenger Service spam on an unpatched, non SP2 XP system: 

 

Looks awfully simliar to the Microsoft update site:

 

Alex Eckelberry

Office 2003 Service Pack 2

Hey, it’s a deal at twice the price.  Includes phishing protection, updates to the 2003 spam filter, and more.

Download it here.  Do it!

PC Mag article here.

Alex Eckelberry
(Hat tip to Catherine and Donna)

This keylogger thing

There’s been quite a few of these Winldra variants we’ve been finding (this is the keylogger behind the identity theft ring we stumbled onto a while back).

One thing: 

Not one of the machines we found infected were running Windows XP Service Pack 2.  ALL of the infestations are occurring on older Windows XP systems.

This thing can be installed through one of many different exploits, *.CHM, Java.Encoded links, Mime 64Base encoded links, Unicoded, javascript encoded scripts : %3F, \U00##, etc.  Most, if not all, of these exploits were fixed even prior to SP 2.

During one test, I went to a site that installed the keylogger.  Windows XP SP2, no problem.  Didn’t even touch the machine. Unpatched — zing! Instantly infected.

To those that insist on not upgrading to SP2, you are nuts.  Sorry, it’s the plain truth.  You’re playing with fire.

Alex
(Thanks Patrick)

 

Rumours of a new SpySheriff leaves some antispyware people baffled

We saw a report at DSL Reports from Lavasoft (and an attendant blog entry) about a new variant of rogue antispyware program SpySherriff on that might be on the loose.  

It is reported to “delete Ad-Aware, Spybot and possibly other Anti-Spyware / Antivirus software”.  <gulp>

This put our spyware team on a wild goose chase, only to discover that this thing is likely a chimera.  We were able to find a copy of SpySheriff on a site, but it looks like the same old program.  At that same website, however, one researcher here was infected with a nasty worm (probably unrelated and the infection was also due to running a naked XP system — unpatched, no SP2).

Lavasoft is a highly respectable outfit and I have every reason to believe they are getting user reports so we are really curiosu about this one. 

If anyone sees this thing out there, let us know.  So far, we have not observed it in the field but one never rests in the antispyware business ;-)

Alex

 

Excellent article on lawsuits in spyware

Article in eWeek here.

Alex

 

Preview of Windows Onecare

A preview of Windows OneCare.  Link here via Donna.

Alex Eckelberry

Offtopic: Google video is cool

If you haven’t played with Google video yet, give it a whirl.  It’s pretty slick.

You can type in things that interest you — political issues, dogs, game shows, whatever. You might get a video, or just a transcript of a video.  Some of the results are junk, some are useful. 

Alex

 

Sunbelt paintball madness

Last night, Eric Sites (VP of Development ) and Dave Collins (QA Manager) got a bunch of developers and techs together to shoot guns.

Thankfully, it was only paint.

 

Alex Eckelberry

Security proposal for phones

From CNET:

As mobile phones become digital do-it-alls, handsets need better protection from hackers and from unauthorized access when they're lost or stolen, says an industry group proposing new, hardware-based security standards for the devices.

Direct Revenue now Best Offers

Paperghost writes about the change here.

Alex

Another sleazy install

I blogged about these guys earlier.  They’re back, with a new URL — updatescenter(dot).com (careful going there, this site will install spyware!).

\\

Alex Eckelberry

Intermix: The daytime series continues

Intermix’s plans to sell to Rupert Murdoch were challenged by Brad Greenpan (Intermix’s former CEO), who made a counter-offer for Intermedia.  Intermix has rejected the offer, citing the following reasons:

• Mr. Greenspan's proposal does not compare favorably to the pending transaction with News Corporation. Mr. Greenspan would provide cash liquidity for only approximately one-half of the common stock held by Intermix's stockholders, with the remaining stockholders continuing to hold equity securities in a post-transaction concern with a diminished public equity float.
• The proposal entails a number of significant and unacceptable risks, including uncertainty relating to financing for the transaction. Freemyspace, LLC would need to raise over $300 million to complete the acquisition. Mr. Greenspan has indicated that these funds will be provided by "several private equity investment firms" that may provide commitments to fund the acquisition only after they have been provided with detailed financial data regarding Intermix that is not currently publicly available. Mr. Greenspan has not identified any of his potential sources of funds and the Intermix board is unable to assess whether they are credible funding sources.
• The proposed transaction with Mr. Greenspan offers significantly less certainty of closing and would, even if consummated, take months to complete (in comparison to the transaction with News Corporation, which could be completed in a matter of days, subject to the approval of our stockholders).
• Although existing stockholders would retain an equity interest in a portion of Intermix, the proposal does not provide any operating plan for Intermix, other than to indicate that Mr. Greenspan would propose to cause Intermix to sell off "non-core assets," focus on the Myspace.com business and ask the management team of Intermix' subsidiary, MySpace, Inc., to become the executive team of Intermix.
• The return of Mr. Greenspan to a control position over Intermix could create morale issues with a significant number of Intermix employees, including members of MySpace's management, and potentially harm the company's business, particularly in light of the fact that when Mr. Greenspan was removed as Intermix chairman and asked to resign as chief executive officer, the company's common stock traded for less than $2 per share, the company was struggling with an accounting restatement, its common stock had been delisted from the NASDAQ Small Cap Market, it was the subject of an informal investigation by the Securities and Exchange Commission, various stockholder lawsuits relating to the restatement had been filed, and the company was losing money. 

Alex Eckelberry
(Thanks, Ben)

Note:  I had inadvertently titled Intermix as “Intermedia” in a previous version of this blog.  Apologies.

Tracking down by IP

The National Security Agency has obtained a patent on a method of figuring out an Internet user's geographic location. Link here.

  

"Shockingly risky storage behavior"

From a new article in Windows IT Pro.

After a summer filled with tales of data theft, natural disasters, and executives going to jail in part because of email messages they wrote, you'd think IT pros who oversee storage matters in their organizations would be totally focused on mitigating the real risks they and their companies face. But a series of research reports from the UK and Germany indicate otherwise. In fact, according to these studies, many companies haven't yet implemented adequate business continuity plans, have failed to address email-compliance issues, and are ignoring the danger posed by widespread use of USB memory sticks. Disasters, compliance, and data theft are known risks. Yet many companies apparently still like to pretend they don't exist.

Link here.

Alex Eckelberry

I hope it was a cheap deal

Cardsystems in being bought by CyberSource.  Link here.  InfoWorld article here.

Orion Holtby

David Eastbrook at Hurricane Digital Media now has a blog dedicated to Orion Holtby.   I got this link from a post at Vitalsecurity.

(For those of you unfamiliar with Orion, it’s a long tale of a man alleged to be a fraudster in the online advertising community.  Wayne Porter at revenews has covered the tale extensively.)

From David Eastbrook’s blog:

Our mission is simple when it comes to fighting this crap. It is based on three principles:

1. Naturally,self-interest – he stole $54,000 from us. Big mistake.

“Never forget, never forgive,
never let go.”

Screw us over, and we will hound your ass relentlessly.

2. Prevent it from happening again. You won’t even be tempted.

“Slap me in the head, and I’ll
break your jaw.”

You sure won’t slap me in the head again without thinking it
over very carefully. I learned that playing hockey for many years against a lot of very unsportsmanlike fellows.

3. Be
   prepared, willing, and ready to fight for yourself.

“Vengeance is mine. Period.”

Alex Eckelberry

 

Where to report Hurricane Rita scams

Link here.

The threat of Mobile viruses grossly exaggerated

Good for Sophos.

We've been noting some of the overhyped stories of mobile viruses lately -- all spread by one anti-virus firm or another trying to convince people that there's really a problem where none yet exists. There was another such hyped up story yesterday, but they're getting so common it didn't even register much interest. However, today, another anti-virus firm, Sophos, is taking a stand and claiming that they're sick of all of their competitors hyping up mobile viruses that aren't a real threat. In fact, they say that yesterday's claim of the first "serious" mobile virus threat is "plain bonkers."…

Link here.

Alex Eckelberry

Taming the Transportation Security Administration

Blog link here.

From EPIC: "The Transportation Security Administration has abandoned plans to use information from data aggregators to check airline passengers' backgrounds. TSA made the decision shortly before a working group issued a scathing report (19 pages, PDF) on the program. Last year, an EPIC FOIA request revealed (4 pages, PDF) that Axciom proposed to water down federal privacy laws so that it could sell data to the government for traveler screening. For more information, see EPIC's Secure Flight page."

Alex Eckelberry

New blog on the Real ID act of 2005

Those of you who follow this blog know that I’m extremely concerned about the privacy implications of the Real ID act.

MIT now has a blog on the subject.

Many people and organizations have sharply criticized the "national ID" aspects of the REAL ID Act. Even before REAL ID, the National Academy of Sciences recognized that a system of national ID not only poses a "wide range of technological and logistical challenges," but has "serious potential for infringing on the rights and freedoms of ordinary citizens."

Link here via BeSpacific.

Alex Eckelberry

 

 

 

Hacking a coffee machine

These guys hacked a Wittenborg coffee machine.

Whatever.

Alex
(Thanks to Xavier)

Hurricane Rita scams

CNET rightfully warns of impending Rita frauds.

So far, I haven’t seen any scams.  But I have seen hurricanerita.com, which is apparently owned by the people that make the Eldervalve:

It’s not a hurricane scam.  Apparently these effluent-minded people have gone ahead and registered ALL the named storms until 2009.

Alex
(Btw — this ElderValve thing actually looks rather interesting).

UPDATE:  The site has apparently been sold to the State of Texas, which is why the links in this blog are such a mess. 

Curious about the ElderValve (since the above graphic is busted)?   

Link here.

 

Community reaction to WhenU's writeup

Earlier, I mentioned that Bill Day, CEO of WhenU, has written about how adware companies must behave.  

Alex Morganis froths vituperatively. To wit:

“Bill Day, the CEO of WhenU, wrote up this piece of crap on ethics of adware. I know Bill, you have been doing a good job trying to clean up WhenU's image, but really: Nothing will stop people from saying your business sucks; It does.” 

Oh dear.

ZDNet, on the other hand,  is encouraged:

“…other adware companies would do well to adopt WhenU's philosophy and emulate some of their practices.”

Master spyware samurai PaperGhost is also encouraged, noting that he’s never actually even seen a stealth WhenU installation:

"It's almost like taking your distribution in house solves 90% of the problems that people scream about so much (myself included)....Woo-woo! Here comes the clue-train! Next stop, Cluesville! Perhaps some of WhenU's competitors would like to purchase a ticket.." 

Paretologic’s Sascha reasons dryly — and even goes the extra step of using literary analogs from Dickens and Conrad in his analysis:  

“My overall opinion of his essay is that it doesn't say a whole hell of a lot, but what's said is quite pleasant. Continuing the literary analogy, it's the difference between Dickens and Conrad. With Dickens, you get a lot of words without much behind them -- a great story leading into a good sleep, maybe. With Conrad, you've got economical language backed up by themes of race discrimination, the "white man's burden," colonialism, innate human savagery, all wrapped up in a mindbending frame narrative. "David Copperfield" is about 358 thousand words. "Heart of Darkness" is slightly longer than the printed directions on a can of ravioli. They're both great books.”

(Well, any blogger who refers to Conrad – an author I admittedly worship – immediately gets extra props from me.)

And to all this, I’m left with no choice but to close this wandering blog entry with the Conrad quote: “All ambitions are lawful except those which climb upward on the miseries or credulities of mankind.” —Joseph Conrad

Alex Eckelberry
(Note: Some think that my Conrad quote was meant to be critical of WhenU.  It wasn’t meant that way at all. It was merely an implication of the real problems out there — the really bad guys who deserve the real vituperative froth)

 

Vulnerablities in Firefox

From FrSIRT, nine vulnerabilities were identified in Mozilla Suite and Firefox.

The solution is to upgrade to Mozilla Firefox 1.0.7 or Mozilla Suite 1.7.12.

 

Alex

 

AskJeeves to dump the butler

(There are so many stupid puns available for the asking, so out of respect for my above-average-intelligence audience, I will refrain.)

John Paczkowski  of Good Morning Silicon Valley has this to say about AskJeeves:

Jeeves, the P.G. Wodehouse character that's been the cornerstone of Ask Jeeves' brand for the past nine years, is out of a job. Speaking at a Goldman Sachs Group investor conference yesterday in New York, Barry Diller, Chairman and CEO of Ask Jeeves' new owner IAC, said the affable butler's days at the company are numbered (see "Jeeves! Dammit man, get me my coat and a larger portion of the Internet search market!"). IAC plans to rebrand Ask Jeeves as Ask.com and when it does it will no longer require the services of its longtime mascot. IAC, it seems, feels Jeeves' butler inhibits how people view its brand (the Jeeves character is often perceived as a "gay butler" in some countries). "Jeeves will disappear, and we will probably be called Ask or Ask.com," Diller told conference attendees. "Not that I don't like that butler. He's actually a thinner butler now."

Bill Day writes about the ethics of adware

Bill Day, the CEO of WhenU (who also has done a lot to clean up the company’s practices), writes about how adware companies must behave..

He outlines three basic principles:  Relevance, Respect and Restraint.

Link here.

Alex Eckelberry

 

180 answers back

In response to my earlier post, Sean Sundwall of 180 Solutions has this to say:

We agree, ActiveX is somewhat problematic and for that reason, it is not our preferred method of installation. However, it is a method that some of our web publishing partners request so we continue to provide this as one of several options. As you stated, many well known software makers use ActiveX to install software. But given the limitations Microsoft has imposed on the ActiveX install experience, it’s probably fair to say that ActiveX by itself cannot truly provide the user with enough information to make an informed decision, no matter who the software maker is. This is why we provide additional notification such as the dialog boxes you posted in your update, to ensure there is no confusion and no question as to what is being installed, what the tradeoff is for users and how they can uninstall. We expect that over time, fewer and fewer publishers will use the ActiveX method, but in the meantime, we offer ActiveX as an option building in the extra measures to ensure complete disclosure.

We also recognize that many consumers don’t read EULAs (Google has done away with one altogether for their Desktop Search tool). We believe, though, that EULAs are necessary and have made every effort to offer one of the shortest and easiest to understand in the software industry. And rather than simply provide a link to our EULA, we add it to the installation dialog boxes for all to see. But knowing EULAs are often skimmed or skipped altogether, we provide a plain-language description that really cannot be misunderstood. And just in case the user doesn’t read that or was somehow confused, we provide a short, clear reminder to the user upon completion of the installation that they have installed our products and we provide a link to our customer support services. We feel like this represents a fair, honest and transparent installation experience.

 

Alex Eckelberry

The Spam Queen speaks out

Laura Betterly was once dubbed the “Spam Queen” by the Wall Street Journal.  The title wasn’t entirely accurate as she was really just one of many run-of-the-mill bulk mailers, and never did offers for porn, enlarging body parts, viagra, etc.  In other words, she was nothing like the true hall-of-famers like Scott Richter and Sanford Wallace.  But the title stuck and she got some noteworthy press for it.

But she doesn’t spam anymore. 

Why?  She writes about current marketing practices and spam in an article here.

It’s actually an interesting read.  Take this, for example under the heading “The future of bulk email and why it is likely to remain dead”:

“In other words, Spam is a four-letter word.

Legitimate marketers are staying away in droves and it’s easy to see why. First of all let’s look at some facts. In the United States, it is legal to send unsolicited commercial e-mail. The CAN SPAM act allows for this. You have to provide a way to opt-out and not hide who you are, and a few more simple but ethical rules.

Although it is legal, there isn’t an internet service provider in the United States who will allow you to send unsolicited commercial e-mail.

Larger mailers have opt-in information from lists they purchase which imply consent but those lists aren’t originated from the mailer, but from other sub-mailers—you get a free thing or access to a particular site and the user checks a box that it is okay to get information from their “affiliates and partners.”

The “affiliates and partners” they are referring to are those who pay for the e-mail addresses and opt-in information.

These guys are sending you mail legally, but the fact is, they are not getting into your e-mail box for the most part. Blocking, filtering, and doing it the “legal” way bulk wise, is just not working.

Not to mention, there is no way to prove that the recipients opted in or are willing to get the message since they opted in at someone else’s site, not yours.

The response rate is pathetic and when that mail does get through, you have many disgruntled individuals who never remember opting in, so in their view, the mail is unsolicited. The only way to get e-mail into inboxes en masse is by not following the rules, so the only messages getting through are the scams, including the pornographic, illegal, and objectionable.

It is ironic that the very thing people want to rail against, they are getting more of in the aftermath of Can-Spam.”

 

Alex Eckelberry

What's wrong with this picture?

This recent video shows 180 Solutions is now installing Zango Search Assistant (the replacement for 180 Search Assistant) via ActiveX installs at third-party web sites.

Why is this notable?

1. The user goes to the site and gets a confusing Active/X control thrown into their face.

Click to enlarge

Even under Windows XP Sp2, it is intrusive and confusing. One gets one of these redirect/layover screens that directs the user to install an ActiveX control -- a screen not necessarily from Zango but nevertheless confusing.

Click to enlarge

2. The ActiveX box describes this program only as "Website Access" from "Zango." No mention or description of functionality such as pop-up advertising, installation of a toolbar, error page hijacking, etc.

3. The EULA itself likewise makes no mention of key functionality, disclosing only advertising in some vague way (redirects to partner websites) but not pop-up advertising -- no mention of a toolbar at all. Click here.

4. Three separate programs are installed (with three different entries in Add/Remove Programs). There is a fourth, MediaGateway, a Zango app which is intalled if you agree to it (a different ActiveX popup).

5. On one test system, a device driver capable of accessing the drive directly (ide210201.vxd) is dropped in \System32. Just what this driver is being used for is unknown. See google. According to this post, "this is a legitimate file and it is used in Windows Me/98/95 computers in order to get data on the hard disk installed".

Alex Eckelberry
(Thanks to Eric Howes for his invaluable contribution)

8:44 PM Update: 180 Solutions is fiercely defending this install, and we expect something to post later tonight or tomorrow morning.

In the meantime, here is some more information and clarifications.

The VXD file mentioned above (ide210201.vxd) comes from MediaGateway, a Zango application. I did not get this file on a re-test this evening with Windows SP XP2.

So here is how the install occurs on a Windows XP Sp2 system:

After getting the "You Must Click Yes" dialog, and you agree to install the ActiveX control, you get the standard ActiveX install warning:

After agreeing to Zango, to their credit, you then get these screens:

Note that this screen is pre-selected, has a big EULA stuffed into a tiny box, etc. But it is a step better than what we've seen in the past...



So, notice is given that Zango is being installed, and one can uninstall the programs through Add/Remove.

Here's the key problem, though: The use of ActiveX installs is problematic, since one cannot provide adequate notice and disclosure in the initial screen -- and it's a method of install that has been heavily abused in the spyware space.

ActiveX controls are used by many reputable publishers, such as Microsoft and Trend Micro. However, in these cases, the user is quite aware of what is going on. Simply getting an ActiveX control popping up in your face (the case if you're not running SP2) simply confuses and baffles users.

However, to 180's credit, they do provide an install screen after the ActiveX install which clarifies what is going on.

A final note: Contrary to intimations in the installer and uninstaller, access to this website does not need Zango.

ATM Hacking

Ted Richardson writes about hacking an ATM machine, with pics…

Here are his pics of an ATM Machine after being compromised.













They attach a device over the card slot on the legitimate ATM, which reads the magnetic information. Using the latest wireless technology, it is normally transmitted to fraudsters in a nearby vehicle.














Your ATM is protected by a PIN, but these criminals have a solution for this too. They install a hidden camera, again using the latest technology (wireless) and the PIN is digitally recorded.













Here is a picture of the compromised ATM with the camera installed.

Alex Eckelberry

New national security blog

Ex-army intel guy and security pundit William Arkin has started a national security blog. Check it out here.

Alex Eckelberry
(Thanks to beSpacific)

Mozilla fights back against security claims

As blogged earlier, vulnerabilities in Firefox are now running at a faster clip than those for Internet Explorer.

ZDNET article here: “Tristan Nitot, president of Mozilla Europe, hit back by claiming on Monday that when a vulnerability is found Mozilla's "ability to react, find a solution and put it into the user's hands is better than Microsoft."

Alex Eckelberry
(Tip of the hat to Donna)

Another disgusting ploy by a rogue program

SpywareIno wrote about Evidence Eliminator and called the compay
“scum”. Pretty harsh words.

Well, after having seen this screen this morning, I can say that I can’t agree with them more completely.



Click to enlarge

Alex Eckelberry
Thanks to Patrick Jordan for finding this one)

Opera's gone free

Great move.  Opera is now free, with no ads.

Download Opera for free.

Alex  

Spammers and Scammers

From Deb Shinder:

It's not just that the amount of spam is increasing lately (over the last few weeks, I've gone from getting 5-10 spam messages in my Inbox each morning to 20-40). Thank goodness for iHateSpam (on a recent typical Monday, over 3000 spams were caught by our server-level filters, addressed to either my husband or me, or to nonexistent addresses in our domain, before they ever reached our mailboxes). The really bad part is that the "quality" of the spam that gets through is deteriorating.

Now maybe "quality" is a contradiction in terms when you're talking about spam, but here's the point: in the past, the majority of spam messages that got through my filters were attempts to sell something, similar to the junk mail that we get in our physical mailboxes. Annoying, but not infuriating. My mail filters caught the blatant porn spam and other offensive messages.

The past month has seen a big increase in spam scams of all kinds. Part of this is undoubtedly the natural tendency of con men rushing in where angels fear to tread after a natural disaster like Hurricane Katrina - I've seen a few of the fake charity solicitation spam with links that most likely lead to phishing Web sites. These sites are dangerous. It would be bad enough if the only problem were that the unsuspectingly person who enters credit card information to supposedly donate to the charity has those funds diverted to the scammer's use, but it gets worse. The credit card info itself is often used to steal the person's identity and make other, unauthorized charges. This is, in my opinion, the lowest of the low. Federal and state governments are cracking down on these scammers. Read more here.

Another spam scam I've been seeing regularly is from an organization that calls itself SPAMIS, which is supposed to stand for "Strategic Partnership Against Microsoft Illegal Spam." I started getting these months ago, and found it pretty ironic that these claims that Microsoft sends unsolicited and unwanted e-mail were being sent as ... unsolicited and unwanted e-mail.

The more recent messages from SPAMIS have gone far afield of the "spam" claims against Microsoft, and started making other accusations. The latest one, which I got last Thursday, is titled "Microsoft plans to stop supporting the American economy by outsourcing more than 10,000 jobs over 10 years to China." When you dig deeper into this story, you find that the source of those numbers appears to be Kai-Fu Lee, the Microsoft executive who left to work for Google and is being sued by Microsoft for breaching the non-compete agreement that he had signed. Not exactly an unbiased source.

But whether or not the outsourcing numbers are true, it's highly unlikely that the company has any plans to "stop supporting the American economy." And if they did, what does that have to do with spam (which is supposedly SPAMIS's purpose for existing)? It has become very clear, if it wasn't already, that SPAMIS is not an anti-spam organization like CAUCE (the Coalition Against Unsolicited Commercial Email), but is in fact an anti-Microsoft organization that uses spam to further its campaign against the company.

To confirm even further that SPAMIS is a spammer, their most recent messages - like so many other spam messages - disguise who the message is from by placing the recipient's own e-mail address in the "from" field. Thus, when their messages show up in my mailbox, it looks as if they came from me. Gosh, why would a legitimate organization do that? Obviously lots of other folks are onto their scam and blocking mail from their own domain.

According to several sources on the Web, the driving force behind SPAMIS is none other than Robert Soloway, who is a well-known spammer and seller of mailing list addresses. According to Spamhaus, a popular register of known spam operations, rumor has it that Soloway has hired virus writers to create spam zombies. You can read more about Soloway here.

It comes as no surprise that Soloway was one of the spammers Microsoft sued for illegal spamming. He has recently mounted a campaign against Microsoft's Sender ID framework, a technology that's designed to stop spam by verifying the IP addresses of email senders and comparing them to the registered addresses for the purported sending domain to authenticate senders' identities - you can read more about Sender ID here.

I'm also getting lots of spam these days in other languages, including those in Cyrillic and Asian alphabets. Don't know what they're trying to sell me, but at least those are easy to tag as spam.

What about you? Have you noticed any new patterns in the spam you're receiving lately? Are any of the new spam messages particularly annoying to you? Are you seeing more scam spams than usual? Are your filters having a hard time keeping up as the spammers change their domains and methods? Feel free to comment.

Deb Shinder

Everything You Always Wanted to Know About Windows Product Activation

Here is a good explanation of exactly how WPA works.

Alex
(Thanks to our Deb Shinder and Steve C. who sent us this link)

Firefox: Honeymoon Over?

No. I think you’re way, way safer using Firefox over IE, but now, according to security expert George Ou, Firefox now has more vulnerabilities per month than IE (you need to read the whole article to understand the data).

Read George's blog here. 

Click here to read an unrelated CNET story about Symantec’s recent statements on Mozilla browser security (“Mozilla Web browsers are potentially more vulnerable to attack than Microsoft's Internet Explorer, according to a Symantec report…There is one caveat: Symantec counts only those security flaws that have been confirmed by the vendor. According to security monitoring company Secunia, there are 19 security issues that Microsoft still has to deal with for Internet Explorer, while there are only three for Firefox”).

 

Alex Eckelberry

Stopping spyware at the gateway

We’ve developed a version of CounterSpy that can be put into gateway appliances.  Our first deal is with a company called Cymphonix.  They make a pretty nifty appliance— it blocks spyware and a lot more, such as shaping bandwidth (meaning, you can give different users and applications different restrictions on bandwidth).

 

Alex Eckelberry

Cisco operating system hacked?

This Russian website writes about hacking the Cisco IOS (the Internet Operating System—what their routers run on)..

In case you don’t speak Russian, we have translated the text (some potentially offensive text was removed):

On September 9th Andrey Vladimirov, security specialist, known as the co-author of “Wi-Foo: The Secrets Of Wireless Hacking” book, revealed information regarding the end of “brain storm” which targeted Cisco software vulnerabilities in his LiveJournal blog, where he goes by nick name “dr_nicodimus”.

Researches developed methods of injecting code in Cisco IOS and figured out how Exploits and Shellcode could be written for that platform. They created mechanisms that allowed implementing cross-platform worms for IOS. They detected a big number of vulnerabilities in EIGRP routing protocol. To demonstrate this they attacked one Cisco box from the other and as a result they were able to run IRC server on hijacked machine.

Therefore, we can certainly say that they succeeded in cracking Cisco router software and this demonstrates once again that overestimating the idea of “security through obscurity” leads to very dangerous consequences.

Hopefully, Cisco will take in account the lessons learned by Microsoft and will soon release their own “Cisco IOS SP2”.

I admittedly don’t have much sympathy for Cisco these days after watching their treatment of Michael Lynn and their frantic and bungling efforts to kill the information (one of the most mindboggling things I’ve seen was this video of Cisco employees tearing up his presentation at the BlackHat conference).

 

Alex Eckelberry
(Thanks to Olexiy for the translation)

Outlook Express

According to this video at Microsoft’s Channel 9, Outlook Express will be renamed Windows Mail and will have spam filtering.  More here.

Alex Eckelberry

Risk assesment standard

This is actually useful.  The Common Vulnerability Scoring System allows companies to realistically interpret a security threat for their organization. 

From the article in CNET:

“CVSS goes beyond today's severity ratings, such as the familiar "critical" and "important" found in security bulletins from Microsoft. The new scoring system, which uses numbers between 1 and 10, enables organizations to calculate the specific risk to their own environment by adding information related to their IT systems. This could help them prioritize patches.”

 

Alex Eckelberry

You want free crackz? Prepare to pay the price

Crackz sites (where one can find stolen registration numbers for software) are always good places to get yourself a big fat payload of spyware. But there’s fuel to the fire from two notable researchers: Microsoft MVP Chris Boyd at VitalSecurity.org writes a damming review of a program called Crack Extractor which has a mass of spyware as a payload. And Roger Karlsson stepped in with a video taken back in June of YourSiteBar, 180Solutions, Exact Advertising and more distributed side by side with a license key generator for Nero 6 Ultra Edition CD burning software.

Information Week gives CounterSpy Enterprise Editor's Choice

This just in. Information Week's review of enterprise antispyware products resulted in CounterSpy Enterprise winning Editor's Choice.

"Sunbelt CounterSpy Enterprise wins our Editor's Choice award for its modern interface design, ease of deployment and ability to remove what we threw at it. "

Article here.

(Correction: As Mitch Wagner points out, this is actually a Network Computing article that was republished in Information Week).

Alex Eckelberry
(Apologies for the shameless plug.)

Fascinating article on Phishing

Christopher Abad at Cloudmark (a business partner of Sunbelt’s) wrote an extraordinary paper on phishing several months ago.  If you haven’t seen it, it’s highly recommended research treatment of the subject.

For example, by spidering through IRC servers, they found this complex interrelation among phishers: 

(Click to enlarge)

 

Alex Eckelberry
(Thanks Eric)

Who is Brad Greenspan and why is he so mad?

In early 1999, Brad Greenspan founded Entertainment Universe.  Just a few months later, he completed a complex transaction where he raised capital from Lehman Brothers, Eisenberg Partners and others;  acquired CD Universe (an online CD retailer); and went public on the OTC bulletin board by merging with Motorcycle Centers of America (an empty public shell).   This all occurred on the same day, April 14th. 

Within months, he continued his acquisition spree, acquiring MegaDVD.com, an online DVD retailer; entered into an agreement to buy Case’s Ladder;  and signed in a letter of intent to buy Gamer’s Alliance.

Dizzy yet?  Well, that’s the story of the early days of eUniverse, which later became Intermix, a subject of an entanglement with the New York AG’s office.

Brad left eUniverse in the fall of 2003 and the company later became Intermix, got into trouble with the New York AG, came to an agreement with the AG and then got bought by Rupert Murdoch. 

Now, Brad set up a website that is making some pretty damning allegations against certain members of the Intermix management team.  He alleges that Intermix managers Brett Brewer, Adam Goldenberg, and Thomas Flahie profited by selling stock before the AG’s investigation was announced. Further, he alleges that Vantage Point Partners, an investor in Intermix, sold stock as well during roughly the same period.  Vantage Point is the employer of Intermix chairman David Carlick and board member Andrew Sheehan.

  

(Chart from insiderstocksales.com)

He also claims that Intermix actually increased its online downloads while the AG’s office was investigating.  

And he’s launched a website with slideshows to prove his point.

Is he right?  Well, that’s actually hard to tell.  Many executives in public companies put themselves on automatic selling programs, which sell their stock regardless of their insider knowledge. Whether or not an insider profited while in possession of material and confidential insider information  is a subject of a vast amount of law and really can’t be speculated on without a thorough investigation by the SEC. In other words, don’t jump to conclusions without knowing all the facts.

Alas, I’m not a lawyer and also just don’t have the time to delve into what certainly looks like a fascinating story.  If anyone else wants to get into it, go for it.

Alex Eckelberry
(Thanks Ben)

180 hit with a class action lawsuit

Several months after a class action lawsuit against Direct Revenue, 180 Solutions is now in the target of a lawsuit.

Blogged here at ZDNET.   You can download the court document here.

TechDirt also blogs on here.

 

Alex Eckelberry

 

Trying to make sense out of EULAs

EULAs — End User License Agreements — are those agreements that you usually sign by clicking “I Agree” on a software installation.  They are usually complex  legal documents (one practically needs a law degree to pour through them).

JavaCool Software has come up with a nifty tool that actually parses EULAs into key areas, like Advertising, Privacy, Search Terms, and assigns “interest levels” (basically, almost like a threat level).  The basic version is free, and is available here.

This screen shot is of a Direct Revenue install that was analyzed:

 .

(Click to enlarge)

Alex Eckelberry
(Thanks to Corrine for the tip)

How to educate employees about spyware

SearchSecurity has an article out today about educating employees about spyware.  Link here.

Alex Eckelberry

AskJeeves Response to our whitepaper

Kirk Lawrence at AskJeeves responds to our earlier post on AskJeeves.

The article can be found here but I’ve pasted it below as well:

Response to Sunbelt's Blog Posting

Ask Jeeves recognizes that industry confusion exists around downloadable software products, which can lead to erroneous flagging of user-friendly products by anti-spyware makers. Ask Jeeves’ products are not adware or spyware and we take this issue very seriously. We recently contacted Sunbelt Software to correct, what Sunbelt itself recognizes, is inaccurate flagging of our products as adware and spyware by their software. This gross misrepresentation of our product was misleading to consumers and, as such, we felt it must be corrected.

We support industry efforts to regulate standards and believe strongly in the value of companies dedicated to clarifying vendor practices for the consumer while taking the necessary to steps to ensure that accurate information is provided to the public. Unfortunately, the most recent report released by Sunbelt Software still does not provide accurate information to consumers, further muddling what is already a confusing industry issue. Ask Jeeves takes great pride in the integrity of the Company’s Fun Web Products and family of My Search toolbars and is deeply concerned by the assertions made in Sunbelt’s report. The report includes old and inaccurate data that misrepresents our practices. This erroneous information disseminated to the public only serves to do consumers a disservice by taking the attention off rogue vendors and on to companies who create and distribute legitimate and user-friendly consumer products.

We’re proud of the steps Ask Jeeves has taken to protect consumers and feel it necessary to clarify the misstatements issued in the Sunbelt report:

· Ask Jeeves prohibits both its direct advertising and third-party distribution partners from using drive-by download practices. Ask Jeeves has, and will continue to terminate advertising partners that violate our contracts.
· Ask Jeeves also prohibits the use of any type of click fraud to force installations, such as a “fake close x” to mimic user-initiated click activity. The force-installs through security exploits that are cited in the report were in direct violation of our contracts, and those partners were terminated. In addition to the contractual terms we have in place, we have implemented technical measures to prevent rogue advertisers from engaging in this type of activity.
· Ask Jeeves requires clear, concise and complete disclosure to be provided before our applications are downloaded and installed either directly from our sites or through our third-party distribution partners. All Ask Jeeves downloadable software applications must be distributed with an End User License Agreement (EULA) that is easily accessible prior to installation. All Ask Jeeves applications also require the consent of the user prior to installation.

We don’t stop there. Ask Jeeves is consistently looking for ways to be more proactive in our approach to ensure that partners comply with our policies. Several months ago we created a compliance office to monitor the actions of the third party partners and distributors of our toolbars and bring partners who violate our software guidelines (http://sp.ask.com/docs/jeevesinc/policy_download.html) into compliance or, in some cases, terminate the partners that do not comply with required changes. We will actively investigate allegations made by Sunbelt Software against our partners to determine if they are in breach of our policies, and will take swift action if we uncover any violations. We recognize it is difficult to monitor the entire Internet and encourage our users to report violations of our policies by emailing us at reportviolations@askjeeves.com.

In closing, Ask Jeeves condemns practices that deceive users into downloading or installing software and will continue to work to ensure the only people downloading our products are those that choose to affirmatively engage with them for the great functionality they offer.

We appreciate the user and industry feedback that helps make our products better and we’re proud of the steps we’ve taken to protect consumers. We’ll continue to evolve with changing industry standards while delivering great products people that millions of active users enjoy every day.

Kirk Lawrence
Director of Internet Security and Privacy
Ask Jeeves, Inc.

 

 

Vista will come in SEVEN flavors

My head is spinning.  Really. 

According to this article by Paul Thurrot, “Microsoft is creating seven versions of Vista for end users (nine if you count the N Editions that will target European markets). To differentiate these products, the company is carefully matching feature sets to the expected markets that will adopt each product version.
  
Two low-end versions of the product, Vista Starter Edition and Vista Home Basic Edition, won't feature the much-vaunted Aero UI that will adorn all the other Vista versions. Instead, these versions will use a lower-quality, XP-like UI that's more appropriate for the low-end hardware that infrequent PC users and emerging markets might use. Vista Starter and Vista Home Basic will also lack the rolodex, tab previews, and task bar preview features that other Vista editions will offer.”

Alex Eckelberry

Irony

I found this particularly ironic. This popup was displayed yesterday while using 180Solutions Zango:

.

(Click to enlarge)

Alex Eckelberry

The debate about PhishFighting.com

A couple of weeks back, I blogged on a new site, called phishfighting.com.

The idea is you enter a URL into the site, and it sends the phishing site fake hits every 20 seconds.

Well it was a hot subject. Lots of comments on the original blog, and I followed up with a new blog entry here. Now, Microsoft MVP Sandi Hardmeier at the SpywareSucks blog had even more damning comments than the prior one:

Here's the deal. The sentiment is great, but the reality is not. Having “fun“ is of no practical use (although it may make you feel good).

Many phishing sites are hosted on compromised computers - computers that have been hacked. The owners have no idea what has happened to their systems, and invariably each phish site only lasts 5 to 9 days (on average) before the phishers move on.

Who are we punishing here? The victim whose computer has been hacked and who has to pay for the phisher bandwidth, and now the bandwidth generated by sites like
phishfighting? Are we punishing the phishers? They don't care. When one site is
compromised they simply create a new one.

We're dealing with professionals who are more than capable of weeding out and
discarding fake data. All they need to do is whip up a little programme that
will retrieve, and test, information provided with no human interaction or
effort. If you think that there is a person, or a series of people, wading
through print-outs trying out each log-on by hand, I'm betting you're wrong in
that assumption. Think about it. How many millions of phish emails do you think
are sent out every day? The bad guys have the capacity to handle a *lot* of
data.

Not only that, the Anti Phishing Working Group advised in their July report that there has been a 100% increase in the number of phishing sites that attempt to infect systems with keyloggers and trojans to capture sensitive information such as usernames and passwords. The implications are far worse, in such circumstances, than the compromise of username and password for one financial institution.

What is phishfighting's “Method One” for retrieving a phishing URL? They say “Simply click on the link and copy the real url from the browser bar“... NO!!! DON'T DO IT!!!!! Don't click on the link!!!!!

Edit: Let's expand on this - don't even *open* a phishing email. If it includes remote graphics, and your email client is set to download such things, simply by opening the email you are confirming that your email is “live“, making it immediately valuable to all kinds of spammers, and saleable.

Also, some phishing emails attempt to infect computers as soon as an email is
opened by using certain old security vulnerabilities that *should* be patched,
but may not be.

All that we get from services such phishfighting is a misplaced sense of satisfaction that we are somehow hurting the phishers. We're not.

There is NOTHING on the phishfighting site that teaches users how to report phish sites to ISPs and get them shut down legitimately.

Phishfighters say that they are not using a DOS (denial of service) tactic because they only send one fake alert every 20 seconds. Is that 20 seconds per report, or 20 seconds per URL? The site doesn't say.

Don't use services such as phishfighting. Use spamcop to report spam emails (http://www.spamcop.net/). Learn how to read emails headers and report spammers to their ISP (http://www.stopspam.org/email/headers.html) but remember, the spamming computer may be a zombie, the owner may have no idea what has happened, so be nice.

Use allwhois (http://www.allwhois.com/) to trace the host of phish sites and report their existence direct to the host ISP - get the site shut down. Again, remember the host computer may have been hacked, and the owner completely unaware of what has happened. Be nice.

Please, don't use services such as phishfighting and DON'T click on the link in a spam email ... please.

Robin Grimes, the developer of PhishFighting.com, responds with this:

As I understand, from reading [his] post, his main premise is that the Phishers are to smart for us and that clicking a phishing email link can be dangerous. So let’s address his concerns:

1. He is correct that clicking a link in a phisher’s email can be hazardous. This is why I’ve posted alternative ways to determine the phisher’s real link. He’s correct that I
should point out that “Option 1” is hazardous, so I’ve updated PhishFighting.com
to make note of this.

2. His premise that Phisher’s are to smart for us, that they all have programs to test and filter false data is a little broad reaching. I’m sure there are some very sophisticated Phishers out there, that won’t be the least bit inconvenienced by receiving false data. But I’m willing to bet that a majority of the Phishers are basically petty thieves and that getting 100’s or 1000’s of fake entries will inconvenience them to some degree. And that’s really the point of PhishFighting.com, to in some small way cause them the inconvenience that they cause us.

3. He say’s “Don't use services such as phishfighting. Use spamcop to report spam emails (http://www.spamcop.net/)”. His premise is that using spamcop.net or some other reporting agency will stop Phishing, it hasn’t, or will have more impact than PhishFighting.com. Possibly but I haven't seen any evidence that Phishing is on the decline. I received 4 new phishing emails this weekend. Phishing seems to be growing, not declining.

4. He also states that I don’t offer any alternative ways to fight phishing on my site. That’s true, namely because I have not found any real method that actually has a major impact on Phishing. There are a lot of sites and agencies purporting to offer some solution or impact, but I have not heard of one that can prove it, myself included. I don’t
claim that PhishFighting.com will solve the problem, but then nobody has a
solution. There is no other way for an individual to fight back against Phishers. If PhishFighting.com inconveniences the Phishers in any small way then it’s doing what it is designed to do. Plus there is a certain amount of “Feel Good” factor in being able to do something other than just reporting them.

PhishFighting.com is all about giving the individual a method of striking back,
even if it is in some very small way.

If you have additional questions, tips, suggestions, or just want to tell me I’m a
dipstick, email me at Support@PhishFighting.com Robin

Robin at PhishFighting.com should be congrutulated for at least trying something to fight fishing and it's sad to see that some people have been piling up on him.

But Sandi at SpywareSucks brings up good points, and one should be careful using such a service. Often, my response to phishing is to report it to eBay, PayPal, or the bank in question; and if a legitimate site is compromised (all too common), I try to alert the siteowner. Phishfighting is another tool in your arsenal, but if used, must be done so with caution.

So in the end, I'll leave it up to your best judgement.

Alex Eckelberry

The AskJeeves question. Hopefully, we've answered it.

A while back, AskJeeves approached us to have their products delisted from the CounterSpy database.

There are a number of antispyware programs that list AskJeeves toolbars and a number that don’t. You can see the current status of AskJeeves detections here. It’s a mixed bag: Companies that don’t detect any AskJeeves programs are Lavasoft, Microsoft, WebRoot, PC Tools and FBM Software. Companies that do are Sunbelt, McAfee, Computer Associates, Spybot, Tenebril, Trend and Facetime

The AskJeeves question is not new. See this article in Newsweek in June and Ben Edelman’s discussion in May. Clearly, there’s room for a definitive answer, especially with business customers who buy antispyware programs.

So we proceeded to perform a comprehensive study of the AskJeeves programs in question. That study can be found here.

The AskJeeves programs referred to are all search tools that are added to your browser: MySearch Bar, MyWay Speedbar and MyWeb Search and their variants (AskJeeves re-brands or makes changes to these toolbars, to come up with types of toolbars that offer free cursors, screen savers, etc.).

What we found in some cases was troubling. Now, don’t get us wrong: The AskJeeves toolbars are NOT adware or spyware. They are arguably relatively innocuous additions to the browser. However, methods of current and past distribution, notice and disclosure are of concern. After reviewing the results, one has to ask oneself the question: If an AskJeeves toolbar is on a user’s system, did they really want it on there in the first place? Did they even know they were getting it?

When AskJeeves' products are downloaded and installed directly from AskJeeves' own web sites, notice and disclosure of the products and their functionality is generally good, though there is room for improvement in some cases (e.g., the failure to describe FunWeb Products as browser toolbars). However, several of AskJeeves' products are plagued with poor installation practices when distributed by third-parties or when advertised at third-party web sites. Putting aside concerns about aggressive advertising practices (treated at length in the whitepaper), we found issues with the following:

Poor notice and disclosure with software bundlers. AskJeeves bundling in software bundlers like Grokster and Kazaa, where poor notice and disclosure are provided. The worst case we observed was a bundle with the Bald Eagle Screensaver which installed MyGlobalSearch Toolbar even after the user cancelled the installation. You can see the video taken August 28th of exactly this occurring here.

Installation through ActiveX controls.While Internet Explorer’s user notification about ActiveX controls has improved measurably since the release XP Service Pack 2, there is still an issue with these types of downloads. AskJeeves' products have been installed through automated ActiveX installations that initiate when users land on third-party web pages. These ActiveX popups, which launch without warning in arguably confusing circumstances, can prove bewildering to users. For example, this ActiveX popup was found on Smiley Central:

Examples of ActiveX installations of AskJeeves' software include IOWrestling.com (Sept. 2004), Letssingit.com (Apr. 2005), and Prowrestling.com (Apr. 2005).

Past installation through Windows Media Player exploit. While not as relevant today, an issue several months ago was the installation of software through Windows Media Player files (the Microsoft Digital Rights Management feature, or DRM, allowed publishers to re-direct viewers of a file to a 3rd party website — this was being used by unscrupulous vendors to attempt spyware/adware installations).

In testing during January 2005 with one such WMP file (aria_giovanni_full7.wmv), an ActiveX install prompt for Popular Screensavers/MyWebSearch toolbar was encountered amidst a series of other installation prompts for XXXToolbar (IST), "Free Jenna Jameson Screensaver" (ABetterInternet), and "Video Secret & Chat" (ABetterInternet).

Force installs through security exploits. By far the worst documented installation practices for AskJeeves' products have been the past force-installs of AskJeeves toolbars through security exploits, as reported by Ben Edelman back in May.

Changes to the CounterSpy database.

Products that have been marked by problematic installation practices through third-party advertising and distribution include My Global Search, My Global Search, My Search Bar, Need2Find Toolbar, and My Speedbar; as well as variants of MyWebSearch Toolbar which include CursorMania, FunBuddyIcons, HistorySwatter, MyFunCards, My Mail Signature, My Mail Stationary, PopSwatter, Popular Screensavers and Smiley Central. These will all be listed in the CounterSpy database.

We found no issues with AskJeeves Bar, Excite Speedbar, and iWon Co-Pilot and hence they will not be included unless unless and until hard evidence emerges that these products are being distributed or advertised in ways that trip Sunbelt's Listing Criteria, as AskJeeves' other products do.

My Global Search or Need2Find toolbars are not currently detected and will be added, and a number of housekeeping changes will be made to the database to put all the offending programs into the correct taxonomy and labeling standards we have established.

Our whitepaper goes into great and exhaustive detail on all of these points, and I would recommend reading it here.

eWeek writes about it here. Internet Week here.

Alex Eckelberry

Addendum: AskJeeves says that with the FasterXP install documented in the whitepaper, the toolbar "implodes" after installation. That's true. After installed, the toolbar's buttons are disabled and it only has an "uninstall" button.

Another antispyware tool

This handy little gadget purports to spot hidden spy cameras.

I'm not sure if it actually works, but it's a cute idea.

Link here. (via BoingBoing)

Alex Eckelberry

MS employee blogs about keylogging

Good stuff here.

“And that’s the key issue - you have to trust the endpoints in a given Web transaction, not just the security "on the wire". Security on the wire is important - SSL is how you ensure that none of the myriad networks your little packet might traverse between you and the bank has an easy opportunity to steal your account details without even needing to be present - but it's only part of the end-to-end security story, and with on-the-wire security generally accepted to be "good enough" to stop the casual hacker, my gut tells me the local endpoint - and that's typically the client - is the most frequent point of compromise.”

Yup.

Alex Eckelberry 

Adbumb takes a stand

Pesach Lattin, CEO of AdBUMb (a big newseletter for the online advertising community) has taken a stand on spyware.

His blog entry here.

“…there can be no doubt anymore that much of the adware industry is not legit. And there is no doubt that much of this industry is plainly illegal. Even the largest companies have, at the least, benefited from illegal actions—and, at the most, they have actively participated in methods of infiltrating/hacking into computers in order to install their adware. Consumers have said over and over again that they do not want this software on their computers, never asked for it and are not going to take it. Run a search on any adware company, and you get millions of hits of consumers complaining about it being installed on their computers without permission.”

Alex Eckelberry

 

Sleazy install of the week

I hope the FTC gets on this one.  Some website, security2k.net (careful going there) is masquerading as the Windows Security Center, trying to sell security software (notably some program called SpyTrooper) with grossly misleading scare tactics.

 

(Click to enlarge)

 

Alex Eckelberry

Why couldn't they have convienently "lost" that information?

According to this article, Yahoo gave information on a Chinese journalist to the Chinese government.  The journalist went to prison for 10 years for divulging “state secrets”.

“The state secret was a message to Shi's newspaper warning journalists of the dangers associated with dissidents returning to mark the 15th anniversary of the Tiananmen Square massacre, according to the group. Shi admitted sending the e-mail but disputed whether it was a secret document.”

I’m sick.  I really am.  To lock away a guy for ten years for something so patently idiotic. 

There’s a morale dilemma for companies operating in China.  Do you cooperate with the Borg to keep it happy and to forward your commercial interests — and possibly risk your own integrity?  Perhaps one can just become “forgetful” or “lose the data”?  

There’s a lot of good people at Yahoo, and I’m sure they were horrified to learn about this.  If this story is true, it’s likely Yahoo got a request from the Chinese government and released the information to them, not realizing this poor guy was going to go to jail.  It’s hard to blame them… their own employees would have probably gone to jail themselves for not honoring the request.  Or Yahoo might have lost vital access they need to get their Chinese markets going.  But that is a tough decision. 

Alex Eckelberry 

 

180 Solutions will try to clean up its distribution channels

180 Solutions has announced plans to clean up their distribution channels.

Basically:

• The new technology, dubbed S3, is designed to help “prevent the suppression or manipulation of the user consent experience prior to installation”
• All new affiliates are required to use this new technology. Current (and sometimes naughty) distributors have until the end of the year to transition to it.
• From what we can tell it looks like a re-coded version of the CBC Force Prompt. The CBC Force Prompt is a prompt that is supposed to come up no matter how 180 Solutions software is installed, to make sure the user is getting the software on their system. It hasn’t always been doing that, ostensibly because of “rogue distributors” bypassing it. I got one today. It looks very similar to this prompt that Ben Edelman talks about here.

Back in May, Daniel Todd of 180 Solutions and I had a chat about using technology to clean up their distribution channels. I wrote about it here.

Well it's ironic since this is exactly the kind of thing I suggested to Daniel Todd about back in May.

Every few months 180 announces a new "reform" that will supposedly make its installation practices kosher. This has been going on for over a year, and at the end of all previous efforts we still have examples of unethical installs. So we welcome their continued publicly announced efforts at reform but admit to viewing another promised reform with a somewhat cautious view.

In its press release 180 says that this new technology "helps prevent the suppression or manipulation of the user consent experience prior to installation." All fine and well, but if the "user consent experience" itself consists of these kinds of notice screens used in recent installations, then is that really enough? See the screenshots here and Ben Edelman’s analysis here.

Anyway, it's good they are not going to pay affiliates for prior versions after December of this year. The primary problem in spyware is the economic model — it is just too profitable for some distributors to get honest. But we have several months to go before we can see if this plan really works -- we'll be checking 180 installs on January 1...

In the end, as we’ve seen with Katrina, PR means nothing without action. The definition of PR is “good works well publicized”. Get the good works done first, then publicize.

Alex Eckelberry
(Tip of the hat to Eric Howes for his contribution to this blog).

9/7/2005 4:39:22 PM Update: Seattle PI story here.

Major flaw discovered in Cisco routers

I don’t know if this is related to Cisco’s public flagellation of Michael Lynn, but this new flaw caught my eye.

Alex Eckelberry

Phishfighthing developer responds

Last week, I blogged on a new site,  Phishfighting.com .  There was some concerned reaction from readers, as can be seen here.

Some of the comments:

“Uhm... no, sorry. This is a terrible service. This site does no checking whatsoever on the supposed "phishing source". One could easily turn this into a denial of service against legitimate sites. A terrible idea, if you ask me.”

“That is the coolest thing I have seen all day. Brilliant idea! Some phishers are getting it right now.”

“Now if he had more servers/IP’s to do this from it would keep them from banning his IP address. Right now I know of several sites that are up, but don't come up on his site. They must be banning his IP/domain

It is a great idea, but I do see the ramifications that could come out of it, Like a DOS attack against legit. BTW, he does do some checking, type in the real eBay sign-in address.”

Robin, the developer of the site, responds:

1. "Dos attack": A DOS attack is by definition a denial of service attack. By adding a 20 second interval between entries, the site is specifically designed NOT to create a DOS attack, which is illegal. Three entries a minute (180/hr) is nowhere near enough entries to take down a website.

2. "Phishers blocking my IP": The entries are actually coming from the browser, so the Phishers would need to block the users IP, not the servers. And if blocking IP's creates more work for the Phishers then Cool.

3. "Attacking Legitimate sites": As Eddie pointed out, I am blocking on the most common legitimate sites. Paypal, Ebay etc. I'm logging and watching the entries. As I find submissions against real sites, I'm adding them to the blocked list.

I have no illusions that this will solve the Phishing problem. But is sure does feel good to fight back and, as one user put it, add the Phishers needles to a haystack.

Please contact me at Support@PhishFighting.com if you have questions, tips, suggestions, or just to tell me I'm an idiot. :^)”

Installing the Windows XP Support Tools

From one of our newsletters, WXPnews:

Did you know that there is a "toolbox" full of XP utilities that aren't installed on your computer by default, but are available on the installation CD? These include tools to provide information about the encrypting file system, directory disk usage, network connectivity and more. The Windows Installer Cleanup Utility removes old installation configuration information that can interfere with reinstalling a software product. The Memory Profiling Tool takes a snapshot of the system and records details of the memory resources being used by the system in a log file. For more information about the support tools and how to install them from the installation CD, click here.

Alex Eckelberry

 

Update to the Free SSA-Keylogger cleaner

Update: Information on the types of systems infected here.

The SSA keylogger cleaner has been updated to reflect some new variants. Link here.

Alex Eckelberry

Civilian flotillas needed in New Orleans

Off topic, but as a boater here on the Gulf, this caught my attention: Civilian flotillas are needed to rescue people trapped in homes -- a week after Katrina.

The feds and the local rescue teams can't keep up with the scale of people needing to be rescued. The actor Sean Penn has been driving around in a boat rescuing people and said he saw three civilian boats yesterday, and invited boaters to come in and join the rescue effort. CNN story here (go down to the links on civilian rescues and also the story about Penn).

If you live within a reasonable driving distance (perhaps Houston, Galveston, Tallahasee, Panama City, or even further) and have a boat with a low draft, feel free to drop in on the disaster and start picking people up. Launching is not that difficult, as every dry street has become a boat ramp.

On another note, a fellow I know is up there right now to help and emailed in to say the scale of the disaster is unimaginable, and that the pictures “don’t do it justice”.


Alex

Disaster map

A family member just forwarded me a Wired Story about an interactive map of the horrific disaster in New Orleans.  An incredible tool, and put up in one day.  Scipionus.com. 

Alex Eckelberry

Impact of Direct Revenue ruling

Eric Goldman, Marquette Law faculty professor has blogged about the Direct Revenue court ruling.

It seems he thinks it’s a big deal.

He thinks it may set a precedent that downloading Direct Revenue software could be considered a Trespass to Chattels (“a somewhat obscure tort action arising out of unauthorized dispossession, use, or interference with the tangible property of another.”). Wiki explaining the concept here.

Eric’s words:

“I trust we all can appreciate the floodgates of litigation that may open if undisclosed downloading of software (not just adware) onto a user's computer can support a trespass to chattels claim (if you're having trouble visualizing, just think two words: Flash and Java). We'll have to see if the court puts any better parameters on its thinking at the summary judgment stage.”

Alex Eckelberry 
(Tip o’ the hat to Suzi)

180 solutions responds to the spyware/kiddie porn/spam zombie story

Got this last night as a follow-up to my post on the spyware/kiddie porn/spam zombie connection.   Direct Revenue has also been in contact with us about this.

Alex,

I'm Ken McGraw, Chief Compliance Officer for 180solutions. Thank you for letting us know about the instance you discovered where 180search Assistant had been distributed in conjunction with child pornography. With your help, we have been able to confirm this to be true and will be taking the following actions:

* Based on pressure from us, Simpel Internet has ceased all distribution operations until they can get better control of their affiliates.
* We will cooperate with law enforcement in any way we can to ensure that justice is brought in this case.
* In the next couple of days, once we have the name and contact information of the alleged child pornographer, we will file a civil lawsuit. All proceeds from this suit will be donated to a charity or organization whose mission is to protect children from online pornography or predation.

It goes without saying that child pornography is illegal and morally reprehensible. Fortunately, this is the first time in our six years of existence, to my knowledge, that we have been distributed with this type of illegal content. We deplore it. Distributing our products with such illegal content is specifically against our code of conduct and as such, we will continue to do everything we can to prevent our products from being distributed with it.

Sincerely,

Ken McGraw
Chief Compliance Officer
180solutions, Inc.

 

Sunbelt's new pipe

Ok, this is severely nerdy/techie, but today Time Warner started installing the final few hundred feet of the conduit for our new OC-3 connection. (An OC-3 is a fairly large internet connection — about 155 megabits per second, roughly 100 times the speed of a T-1)

We’ve been running off of a T-3, with redundancy at an off-site facility. It’s taken months to lay the optics (including a delay to get by our nearby railroad tracks), but we’re almost there. Time Warner will probably end up installing an OC-12 for the building, of which we’ll get an OC-3 connection.

The connection is going into our second location here, the Clearwater Tower, which houses our technical staff.

The OC-3 is necessary for the kind of bandwidth we’ll be consuming with current growth, but also with SPECTRE, the web crawler we’re working on to find new spyware installs on the web.

We sometimes forget that internet connectivity relies on things like cutting apart pavements. So just for kicks I’ve posted pics and some videos below (thanks Dan):

(Click on pics to enlarge)

Videos (not optimized for low-bandwidth!): Video 1 Video 2 Video 3 Video 4 Video 5 Video 6

Alex Eckelberry

Beware of trojan malware masquarding as "Katrina" emails

From the Register:

The site exploits well-known IE vulnerabilities to install a variety of Trojans including Cgab-A, Borobot-P, Borobot-Q, Borodldr-H and Inor-R. Security firm Sophos reports that subject lines used in the malicious emails include, but are not limited to, the following:

Re: g8 Tropical storm flooded New Orleans.

Re: g7 80 percent of our city underwater.

Re: q1 Katrina killed as many as 80 people.

Alex

Sparring with Phishers

Update: See latest entry here.

Fun! Go to Phishfighting.com and fight slimeball phishers.

According to Debra Cliff at Online Crime Bytes,

“…there's a way to get back at phishers … by inputting the phisher's URL to a template at Phishfighting.com, which will send fake responses to the phish site every 20 seconds.

Phishfighters is the brainchild of Robin Grimes, a Web developer by day, who got sick of submitting junk mail data on the 5-10 phishes he receives each day and set out to do something about it.

"The point is to send so many fake responses to the phishers that they have to sort through too much data to determine what's real and what's fake," he told me in a telephone interview this morning.”

Alex Eckelberry

Direct Revenue misery

On the heels of reports that Direct Revenue (makers of wunderspy programs like Aurora) has had a fairly large layoff,  they get another nasty: A court ruling not entirely in their favor.  The ruling can be downloaded here.

The ruling was part of a class action lawsuit by The Collins Law Firm. 

David Fish, the lawyer leading the charge against Direct Revenue, emailed this comment to me today:

I believe this is a giant first step forward for those who are overwhelmed by the intrusion on their computers of unwanted files and advertisements.  We intend to continue our vigorous prosecution of this case.  Here are some interesting comments from the judge's 29 page ruling: 

 In permitting claims to go forward for trespass to personal property, consumer fraud, negligence, and computer tampering, the Court noted that “many companies and computer users consider pop-up advertisements and Spyware an Internet scourge” (p. 17) and that the allegations in the lawsuit “reflect the frustration of many computer users” (p. 18). 

 The advertising defendants argued that they had no knowledge of a trespass taking place or “knowledge of DirectRevenue’s unlawful activities”.  However, the Court relied on legal precedent that “it is not necessary that the actor [i.e. the advertiser] should know or have reason to know that such intermeddling [i.e., the pop-up advertisement] is a violation of the possessory rights of another” (p. 19-20). 

 

In response to an argument that individual advertisements can be easily closed, so they cannot cause a legal injury, the Court ruled that this:

 

“ignores the reality of computer and Internet use, and plaintiff’s allegation that part of the injury is the cumulative harm caused by the volume and frequency of the advertisements.  The fact that a computer user has the ability to close each pop-up advertisement as it appears does not necessarily mitigate the damages alleged by plaintiff, which include wasted time, computer security breaches, lost productivity, and additional burdens on the computer’s memory and display capabilities”  (p. 21). 

 

The next step in this case is that the Plaintiff will ask the Court to permit the claims of hundreds of thousands of computer users to be heard in a single lawsuit (i.e. a “class action”). 

 

Suzi at ZDNet blogs more on the issue here.   Quoting Suzi:

 

“..Direct Revenue argued that the court ought to dismiss the case because Plaintiffs (i.e., the users) must have seen the End User License Agreement (EULA) and clicked through to agree to it, thus effectively telling a court of law that its software is always installed with the user’s full knowledge and consent, despite numerous statements indicating otherwise by users seeking help to remove it... The judge, in fact, evidently did not agree.” 

 

Alex Eckelberry

 

The minute by minute nightmare of New Orleans

Misc links:

Directnic is a domain name registrar in New Orleans that has employees there trying to keep the servers up.

One of their employees is running a blog here. Pictures, and graphical moment-by-moment descriptions of the choas that has gripped the city are on the blog.

Moment by moment news here. GREAT list of blogs here.

Hans Eisenman mentions two good links: A collection of photos of Katrina devastation and the latest on Katrina charity scams. Be careful. See FEMAs offical list of donor sites.

Other links: The Katrina Help wiki and an incredible amount of stuff going on at Craigslist/New Orleans; as well as this one on before and after sat pics. Tech community helping.

More sat pics of Katrina.

Help: Quick and easy is the Red Cross, as low as a $5 donation. There’s also eBay GivingWorks, where you can buy products that direclty benefit charities. More recognized charities on this offical list of donor sites.

Alex Eckelberry