September 15, 2006

The Immortal E-Mail: Detecting Fake "Chain Letter" Messages

Greetings. One of the more annoying aspects of e-mail these days is the continuously increasing volume of "chain letter" messages of all sorts, which almost inevitably contain content which is fraudulent, criminal, propagandistic, misleading, or just plain garbage. Some of these messages propagate for many years, with a sort of electronic immortality.

Ironically, most of these messages are passed along by individuals who believe that they're doing a favor for their correspondents by forwarding onward an "important" note that is assumed to be truthful and useful.

These messages waste resources and people's time in the best case, and can result in major financial losses and other serious negative effects in the worst.

A few simple, interrelated guidelines can help anyone to determine whether a message falls into this "chain letter" category before they decide to forward it onward.

First, consider the subject. If a message contains a dramatic warning, alarming story, emotional appeal, or other material that seems like the sort of information that deserves mass media exposure, but for some reason you haven't heard about it from the media, your alarm bells should go off.

Contrary to the beliefs of some media detractors, print and broadcast media isn't in the business of suppressing information -- they're in the business of maximizing the numbers of eyeballs and ears that are exposed to their work, and compelling stories of all types are their bread and butter. Ask yourself why the material you read in a chain letter message has somehow been "missed" by the media if the message is really so important and on the level? The answer is -- the vast majority of the time -- that much or all of the material in the chain letter is inaccurate and unverifiable.

Keep in mind that a chain letter message doesn't have to be asking for money. In many cases, these messages are basically propaganda, pushing particular political, religious, or other points of view based on totally faked or manipulated information, often with a dramatic emotional punch. Because such messages can strike a deep chord in many readers, they often are driven to pass them along immediately, even though they've made no effort to verify that the message content is accurate in any way. Chain letter messages often arrive from senders that you know personally, which tends to give the messages even more appeal.

This brings us to the second easy test for chain letter messages. When you receive a message that contains a long series of forwarding headers -- seemingly endless arrays of To: and CC: entries, sometimes comprising much of the total text of the message -- you should immediately be suspicious. This sort of forwarding pattern is suggestive that the information in the message has a high likelihood of being false in at least some important aspects.

This relates directly to the test I mentioned earlier -- it's indicative that the story has not been disseminated by mass media and is not widely available on reputable Web sites, so it's being passed around from person to person. Like that previous test, this "header test" is also not a fullproof method to determine whether or not a message is legit -- but it's a big help in the process.

Finally, when you suspect a message, do a little research before sending it onward. A few minutes with your favorite search engine will usually quickly expose many chain letters, since they tend to have been discussed widely by previous recipients. Simply search on some of the names or other key words in the message. Visiting "urban legend" sites such as Snopes can also be very useful in these situations.

Hopefully these suggestions will be of some value when it comes to helping you decide whether or not to forward onward that next piece of dramatic and compelling e-mail that arrives in your inbox.

Feel free to forward this message onward -- but please don't turn it into a chain letter!

Take care, all.


Posted by Lauren at 09:56 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

September 14, 2006

Arnold's Audio URL Controversy -- Hacking or Not?

Greetings. I've seen various news stories biting around the edges on this one, but perhaps a few more words now will save some time later.

As you may know, an mp3 audio file containing a recording of a private meeting with California's "Governator" was apparently "leaked" to the press by staffers in the office of his Democratic opponent in the upcoming election. The tape included Arnold using strong language and some racially-related discussion that some observers found disturbing, for which the Governor later apologized (audio of the meeting).

Arnold's team immediately declared that the file had been stolen from a "password protected" private area of their servers. Later they changed that story to saying that "information manipulation" had been involved in gaining access. Now local L.A. radio station KFI says of the process: "We've been hacking them for years, if this is hacking."

From everything I've been able to learn about this situation, the file was reportedly not password protected and the technique apparently used to gain access -- URL manipulation -- does not reasonably qualify as hacking under any normal definitions.

What appears to have happened -- again, based on what I know right now -- is that various people have been exploring the Governor's Web servers by making slight changes to the URLs on Web pages or from e-mail. For example, if a (fictitious) promoted URL is:

an interested party might also try to access file02.mp3, file03.mp3, and so on.

The same sort of procedure applies to any other types of Web materials -- file21.html, speech-ab.doc, photos-000.jpg, etc. You can type anything you want into a Web browser address bar, and it's the responsibility of the server to determine whether or not you should have access: browsers request, servers control.

I'll bet that many readers of this blog entry have themselves used the same technique to explore Web site areas, or have seen the entries related to such actions in their own Web server logs.

Whether or not it is appropriate to publicly release information discovered in this manner is a different and more complex issue.

But I believe that it's very important to emphasize that the security of files on Web servers is solely the responsibility of those servers and the people who configure them. Relying on the false assumption that files can't be accessed simply because you have not promoted their URLs -- particularly if those URLs can be easily inferred from known URLs -- can lead to some significant surprises.


Posted by Lauren at 09:34 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

September 09, 2006

Hewlett-Packard's Privacy Nightmare

Greetings. This story hasn't been getting all that much play in the mainstream non-business media, buried as it is among 9/11-anniversary political posturing and related shenanigans.

Hewlett-Packard has yet another problem on their hands (and Chairwoman Patricia Dunn is in the middle of this one as well).

In an attempt to discover who was leaking company information that she felt to be of concern, she (or entities working under her direction) reportedly hired a private detective firm. This organization then used likely illegal methods to obtain the private phone records of HP board members and -- as if that weren't bad enough -- outside reporters as well, including the esteemed John Markoff of the New York Times.

The gumshoes apparently used the time-honored technique of "pretexting" (aka "fraud") to convince AT&T that they were the phone subscribers themselves, and asked for copies of related phone records.

Dunn claims that she'd never heard of pretexting and that she didn't authorize such methods -- but one does have to wonder where the blazes she thought the private phone records were coming from -- the phone fairy, perhaps?

AT&T doesn't appear to be blameless, either. As I've reported many times in the past, major firms' lax security policies, depending on widely available information such as social security numbers, zip codes, or the like as security firewalls for personal information, are incredibly ineffective and just short of criminal themselves. Even worse, if you try to establish passwords or other additional security on your accounts, it's often easy for interlopers to bypass them simply by claiming that they are you, and that you "forgot your password" or the like.

At least two key points can be derived from the current situation.

First, HP's dedication to privacy -- judging by this series of events anyway -- is somewhere south of picayune. You might want to keep that in mind the next time you're pricing out notebook computers or other privacy-sensitive equipment.

Secondly, companies like AT&T who make "pretexting" so easy need to be soundly penalized (in ways not passed on to subscribers) when this occurs, and must be forced to take strong steps to prevent repeat performances. They certainly shouldn't be rewarded for these continuing gaffes with total residential services deregulation -- as the California Public Utilities Commission granted them recently. Nor should they be allowed virtually unfettered access to the cable TV marketplace, as provided by newly passed California legislation.

But then again, money talks, and bul... well, you know. Take care, all.


Posted by Lauren at 03:36 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

September 01, 2006

Update on California Cell Phone Ban Silliness

Blog Update (June 29, 2007): Note that despite any rumors to the contrary, the law discussed in this entry takes effect on July 1, 2008, NOT 2007. It will then, as in other states with similar even stricter laws, be increasingly ignored as time goes by, while law enforcement rightly concentrates instead on serious issues.

Greetings. The legislation that I've previously discussed prohibiting driving in California in most situations while holding a cell phone passed last night (the presumption remains that Arnold will sign it), with its author continuing to proclaim that while it won't end cell phone distractions, at least it will get people to keep both hands on the wheel (of course, it doesn't require people to drive with both hands on the wheel!) The amount of distraction that will result from people fumbling around with hands-free devices, vs. just quickly popping the handsets to their ears, hasn't been mentioned. Will most cell phone users drive around proactively with bluetooth or other headsets in place when not actively engaged in calls? Probably not.

Also, a few changes are worth noting in the final version of the bill. The original bill stated that the $20/$50 fines would be inclusive of other fees or penalties. However, the final bill changes the fines to "base fines" -- which means that the out-of-pocket costs for dealing with them could easily exceed three times the base fine amount in most jurisdictions. The final bill also specifically notes that violations will not result in an infraction point on the driver's record and that it is not an infraction to drive while holding a cell phone if you're on private property (presumably parking lots, etc.) An exemption also now exists for certain specific push-to-talk applications, but only until mid-2011.

As I've noted previously, in other states that have implemented similar laws (even with fines as high as $500), compliance has dropped off very rapidly after an initial surge. There's no reason to expect anything different in California. The entire exercise remains utter silliness on parade.

Questions: If a driver is seen to be holding a cell phone when photographed by a red light camera, will they additionally be cited for the cell phone violation? If you tend to drive around like an old-style radio announcer with a hand cupped over your ear, will you be cited for presumptive illicit cell phone use?


Posted by Lauren at 08:28 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein