Saturday, December 01, 2007

Comment spam is worth real money...

(Note: Links are deliberately not clickable, we don't want to give the Spammers pagerank)

Blogger has a pretty significant amount of protection against comment spam. They have to, because comment spam degrades the blog ecosystem. On this personal blog, I've just gotten comment spam like this:

I have to say that I love this article. I have searched for many weeks to find an article about this topic. This blog has been so simple and has a lot more features than other blog articles. The layout and design is great. I will continue to come back here for every articles. Thanks.........

Eva Maryam (a link to (another clickable link)

Both blogs are simply full of automated-feed content from, a company which gives free articles for posting on websites, probably mostly spamblogs, to make them seem legitimate. And the rest of the blog is a pile of Google adds.

It cost the spammer roughly $.01 to post that single bit of comment spam!

I have "Word Verification", aka the comment CAPTCHA, turned on. This means the spammer either had to invest a lot of effort in building or buying an automated tool, did it manually herself, or outsourced the CAPTCHA solving to a human, such as the Amazon Mechanical Turk, a porn-for-CAPTCHA service, or a Chinese Turing farm. But in any case, all the alternatives effectively cost real money. A CAPTCHA can protect something valued at less that <$.01 or so, but anytime the value is >$.01, CAPTCHAs are useless because you can always just hire people.

I should consider it a complement that the spammer would spend $.01 to post an advertisement on my inconsequential blog. And thus I can see how the spam blogs make money: there are a lot of adds spewed out on that page and it costs nothing to set up. Just a single click might make the spam-blogger $.10 or $1.00 or even more.

And they make enough money to make solving CAPTCHAs worth it, which means blog spam is far more valuable than email spam. An interesting result, and not good for the viability of blogs when comment spam on a random, nearly unread blog is actually worth money to the spammers.

The best counter is probably to attack the add-blogs themselves. All of the content in the spam blog itself doesn't cost the spammer, but by not paying for hosting the Spam blog, they are vulnerable. If Google actually responds to my flagging of the spam blogs which post comment spam, this would disrupt the spam-blog ecology.

But we will see in the future whether this happens, whether Google decides it benefits more from add impressions through spam blogs or is hurt due to the disruption of the blog comments system. I hope for the latter, as manually removing such spam costs me more that $.01 in my time.

The interesting thing is Get My Article's business model. Its free to use the content, but submitting the content requires paying $20/month, and requires actually creating semi-real content! So why are people paying good money to have their legitimate text articles (albeit complete with links) on people's spam-blogs?

Tuesday, July 24, 2007

Hofmann's Crash

I was at MotoGP racing this weekend, having fun with my camera. One of the photos I captured was Alex Hofmann's crash during free practice in MotoGP, when he was T-boned by Sylvain Guintoli on the enterance to the corkscrew.

I was using a rental lense on my Canon XTi, with a deliberately long shutter speed (1/200) to increase the sensation of speed and depth of field.

The full sequence is here.

I've released theses photos under a BSD-style (aka Creative Commons style) license. Since I'm just an amateur having fun, it is better to just get my name out there, and to maximize the number of people who go "Hey, thats a cool photo".

Wednesday, July 11, 2007

How to (and how not to) run an airline

For those who have yet to experience the joy of East Coast air travel, there is one bane beyond all others: East Coast thunderstorms. During the late afternoon and evening, masses of thunderstorms often form, blocking airports and flight paths from Boston to Washington. These storms often create "creeping delays", where all Air Traffic Control can tell the pilots sitting on the ground is "ask again in half an hour", because it could be 15 minutes and it could be 4 hours before the planes can fly again.

In two trips within three weeks, I got to experience this first hand.

The most recent, from Washington DC home, was on JetBlue. With a tight travel budget and DC's outrageous hotel costs, an extra night and a morning flight was not in the cards. So on the evening of June 28th, I arrived for the 9:20 PM flight from Dullis to Oakland, Jet Blue flight 321. Sometime around 6pm, the airport basically was shut down: thunderstorms were blocking all routes east and north, and a storm was heading directly to the airport itself.

During this time, other airlines still boarded people and shoved planes onto the tarmac. JetBlue did not. The counter personnel said "we don't want to board the planes until we know you can take off, its more comfortable sitting here". An airline than learned its lesson the hard way.

More important, they communicated with the passengers. Every half hour or so, the counter staff would check in with a pilot on a plane and get an update from Air Traffic Control.

One pilot (the pilot for my flight) stayed at the counter and helped out: explaining to people the cause of the delay, looking up flight status on his smartphone, showing the weather radar to people, assuring us that he was NOT going to cancel the flight to Oakland, and even detailing the tricks he was going to pull to try to get us out as promptly as possible, a scheme which required shanghaing off-duty and over-houred flight attendants to board us 15 minutes before our scheduled cabin crew was due to arrive from a connecting flight.

One of the counter staff even unloaded a few drink and snack carts from the plane, with a "I know this won't make you feel better, but it makes me feel better, so help yourself". The good customer service even continued onboard, with the pilot unlocking the pay-per-view movies.

So although the flight was almost three hours delayed leaving (but only slightly more than two hours arriving, the Pilot put the pedal to the metal), and other flights suffered even longer delays, the process went as smoothly as could be expected.

About the only thing which would have improved the situation would be a weather and/or weather + air traffic display in the lounge, so the customers could see for themselves the airborn mess.

This was in sharp contrast to United flight 19, on June 8th. A similar evening flight, from JFK to San Francisco. Weather was moving in, and any pilot worth his salt would have seen the impossibility of getting off the ground. Nevertheless, we boarded the plane on time.

It turned out June 8th was going to be a ClusterF*** of a flying day out of JFK. Earlier in the day, Air Traffic Control on the east coast suffered a major computer crash. One of the two taxiways at JFK was closed for construction. The East Coast Thunderstorms made their appearance. And an emergency landing on one of the other runways.

But the United pilot told us nothing, simply moved the plane to the taxiway and parked it on the side. No updates, no reports.

The only reason I knew about the weather issues (and resulting routing issues), the emergency landing on the other runway, and most of the other problems was because the pilot did not turn off the ATC channel on the entertainment system, so I listened away to 'xxx, switch to controller C, wait for him to contact you, it will be a while' and 'all emergency vehicles roll to runway Y'.

Even the cabin crew didn't know about what was going on, relying on me to relay information to them! After an hour or so, they distributed cups of water but provided no other cabin service while we were sitting on a taxiway with the engines off.

Four hours later, we were finally in the air. Again, I knew about departure information long before the cabin crew was informed, let alone the passangers. Even during the ascent, the frustrating lack of communication continued, with the pilot detailing to ATC the "moderate" turbulence we were passing through but saying almost nothing to us poor souls along for the rather bumpy ride.

So thus ends the simple lesson in how to, and how not to, run an airline.

Thursday, July 05, 2007

iPhone Redux and the Left Turning Porsche...

OK. I still don't like the lockin policy. I find it horribly objectionable.

But I got a chance to play with an iPhone this weekend, a good 10 minutes of lustworthy exploration.

Yeah, the edge network is sucky, but it is sufficient for a lot of work.

Yeah, the lockin policy is repulsively crippling.

But the thing is so well done, so well put together, so easy to use, with all the little touches, that if I didn't have 7 months to go on my cellphone contract, I'd go out and buy one today.

I'll still probably wait (I don't want to spend an extra $150 bucks to get out of my cellphone contract), but the iPhone looks seriously worth it.

Thursday, June 21, 2007

iPhone Lockdown and Intent-Based Pricing

There are several applications I'd want to run or port on an iPhone. This includes a full ssh environment, subversion version control, and some custom scripts using ImageMagic which would allow me to process, manipulate, and upload photographs using my digital camera (assuming you could adapt the iPod port to a camera or compact flash card) : all tasks I perform on my Mac laptop but which would greatly benefit from the greater portability of an iPhone.

Yet Apple and AT&T's lockdown policy, only Apple authorized applications can run on the iPhone, means I will be unable to use the iPhone to its potential. I understand the reasons why Apple and AT&T want this property: they want to limit applications which can run because they wish to bill for service based on intent.

At $10 for 1500 SMS message at 1 kB/message, SMS messages are worth roughly 1.2 Mb/$. With voice (beyond the first 500 minutes) at roughly $.05/minute and approximately 8 kbps, vocie is roughly 10 Mb/$. Finally, at "unlimited" data (with a reasonable limit of say 5 GB) for $20, the data traffic is 2000 Mb/$. Thus the intent of the bits, whether it is an SMS message, voice, or best-effort data, effects how it is billed. Thus AT&T's interest is to ensure that the iPhone can't circumvent intent-based billing.

Overall, there is a design philosophy which is creating a sealed box rather than an open box. The sealed box offers some better security properties (as AT&T theoretically does not have to worry as much about misbehaving iPhones), but the security properties are somewhat illusionary. Attackers will still be able to compromise the Safari implementation and gain control of iPhones. It will be difficult for attackers, but doable and highly attractive.

Additionally, the hole in the sealed box, the ability to run sanboxed Ajax-ish web applications, defeats AT&T's intent based pricing, the stated and implied security goals, and Apple's stated goal of a pristine user experience. An Ajax-ie webpage could easily interface with IM protocols, replacing high-value SMS traffic with lower value bulk-data. It is vulnerabilities in the web browser which attackers will exploit. And the interface will never be as good as a native interface running directly on the iPhone.

In the end, the iPhone is a porsche which can only turn left.

If you only ever want to do what Apple has decided you should do (namely email, web surfing, music, and a phone), it is a beautiful platform, and probably worth every penny.

If I could obtain development tools and install new applications, I would buy one in a hot second, even with the transition costs as a Verizon customer.

But with the current model of a sealed box, I will not buy one and will urge my friends and family not to buy one, at least until it costs no more than a basic phone. It may be beautiful, but it is crippled.

Personal Financial Security Protocols

Note: The following is a work in progress. Comments are greatly appreciated.

There is an old saying, "The cobbler's children have no shoes", implying that experts in a field often neglect their own discipline in their daily lives. For me, as a security "expert", this is not the case. I have a rich and complex set of personal protocols for dealing with financial matters, including protecting my bank accounts, savings, and credit cards. I deliberately designed these protocols to balance security and convenience.

I began with a simple observation: I want to minimize my costs in a security breach. And costs to me can be reduced by either preventing security incidents or ensuring that some other party, not myself, is responsible for the lost. Thus my attitude towards my credit cards, my bank account, and brokerage account are all substantially different.

Credit Cards

I am generally rather cavalier about my credit card. I happily use online shopping, and will even email my credit card number when making a reservation at a small hotel. True, I'm not going to post the number on the Web, but I won't otherwise hesitate to use my credit card and don't take any extra care in safeguarding this information.

Why? Simply because it is not my money at stake!

Until I write the check to the credit card company, it is the credit card company's money. In case of fraud, I am able to dispute the fraudulent transaction before I have to write the check, leaving the credit card company on the hook for all but $50 (in theory) or $0 (in practice). I had this occur once, with a $5 fraudulent charge, and the process of disputing the charge was painless. Rather, it is the merchants who need to take care in accepting credit cards as the merchant ultimately carries the cost of fraud.

Bank Account and ATM Cards

My casual attitude towards my credit cards is sharply contrasted by my attitude towards my ATM card. My ATM card is ATM-only, without a Visa or MasterCard logo. With a "check" card, where the transaction goes through the credit card system, all an attacker needs are the numbers on the card. In contrast, the ATM network requires the PIN number as well as the card's information.

Additionally, I only use my ATM card at a bank branch's ATM (ideally my bank's branches). And even at these ATMs, I physically examine the slot where the ATM card enters to see if someone has attached a card skimmer (a device to read the card as it is inserted into the machine). I NEVER use my ATM card at grocery stores or other stores, as there have been several break-ins where attackers have managed to capture ATM cards as well as credit cards.

Why should I care? Although the fraud protections for ATM/check cards are as good as credit cards, until the dispute is resolved it is my money that is missing, not the banks. If someone fraudulently used my credit card, the worst case would be the card stops working (and I have two cards). If someone fraudulently accessed my bank account my rent check might bounce before I found out. Thus I need to minimize the chance of a breach.

I also do not use any automated or online bill pay or online banking, except for a couple which go to a credit card. My banking and bill payments are all done in person or through the mail. There are too many bots and key logger in this world for me to trust online banking and there is significant comfort in having a real paper-trail for any potentially disputed transaction.

Finally, when I do pay my bills by mail, I drop off the envelopes in a locked mailbox rather than leaving them for the postman to pick up. It is far too easy for someone to steal some checks and modify them if they are out in the open.

Brokerage Account

The one exception to the "No Online Banking" rule is my brokerage account, as the web site provides the only effective interface for managing the account. Fortunately I only need to access it once every few months, as I follow the general economic advice of "Buy index funds and/or CDs and just let them sit" as I know I'm incapable of reliably beating the market.

I use a bootable Linux "Live" CD (in my case, Knoppix, although I need to investigate alternatives as Konqueror doesn't render properly, forcing me to manually download Firefox). I reboot my computer using the live CD so I know that my system is free from viruses, bots, and keyloggers. I then access just my brokerage account, do my necessary changes, and restart my computer. Although significantly inconvenient, I view this as necessary.

Unlike bank accounts, the laws concerning fraudulent brokerage account access are not well-enough settled for my taste. Since I have no assurance that, in case of fraud, I would not lose money, I need to prevent fraud to as great a degree possible. Thus I must be able to trust the computer I'm using, and given the perilous state of end-host security (even Mac security), the only way I can trust the computer is by booting using trusted, read-only media and only connecting to the brokerage account.


Building these financial protocols took me considerable thought and effort. I had to consider what were the possible attacks on my financial data and what the consequences were. In the end, it was the consequences of possible attacks which dictates my policy: if it doesn't cost me much time and money, I don't care. But if its my money on the line, I'll be very careful.

Wednesday, June 20, 2007

Intro (Redux)

A redux on my intro:

I figure that I'm enough of an egomaniac that I finally should start up a blog. After all, it is only academics with LARGE egos which should be blogging... This is not really very active yet, but I expect to use it in the future to post original items.

For background, my research area is computer security and computer architecture. I received my Ph. D. from UC Berkeley in the fall of 2003, and since then I've been a researcher at the International Computer Science Institute (ICSI).

This blog, however, will also include my thoughts on random topics of which I am completely unqualified as well as information on computer architecture and security topics.

I tried to start blogging, let it lie fallow, and am going to try to start again.