If you would prefer not to receive future emails from [redacted], or if you have changed your email address, please reply to this email with UNSUBSCRIBE in the subject field.

If I had changed my email address, would I be looking at this email wondering why I received it?

Date: 20-Nov-2008 16:13:15 ZE10

ZE10 is how Notes describes a time zone which, ignoring daylight saving, is 10 hours east of UTC (GMT if you prefer). That time zone would include the eastern states of Australia.

So, the sender's time zone is correct (give or take DST). The problem is that the Date header of the message is not and that Thunderbird is ignoring ZE10 and assuming that the time given is UTC.

According to RFC5322 (which, as you will recall, supersedes RFC2822 and RFC822):

The zone specifies the offset from Coordinated Universal Time (UTC, formerly referred to as "Greenwich Mean Time") that the date and time-of-day represent. The "+" or "-" indicates whether the time-of-day is ahead of (i.e., east of) or behind (i.e., west of) Universal Time. The first two digits indicate the number of hours difference from Universal Time, and the last two digits indicate the number of minutes difference from Universal Time. (Hence, +hhmm means +(hh * 60 + mm) minutes, and -hhmm means -(hh * 60 + mm) minutes). The form "+0000" SHOULD be used to indicate a time zone at Universal Time. Though "-0000" also indicates Universal Time, it is used to indicate that the time was generated on a system that may be in a local time zone other than Universal Time and therefore indicates that the date-time contains no information about the local time zone.

This paragraph is unchanged since RFC2822 anyway, so is not new, and it implies that the date header in the email to me should say:

Date: Thu, 20 Nov 2008 16:13:15 +1100

(+1100 and not +1000 because daylight saving is currently in force at the sender's location.)

Looking at MIME format emails I have sent myself recently using Notes, I see that the date header does indeed follow this pattern.

I'm running Notes 8 here and the sender is running Notes 7, but I don't recall seeing this issue when I was using Notes 7...

A computer virus has infected the Barts and The London computer system. The Trust’s well rehearsed emergency procedures have been activated to ensure that key clinical systems continue while network access is being established.

Way to sound like professionals, guys. So you have well rehearsed emergency procedures, do you?

How about robustly enforced security practices? If you had the latter then you would have had no need to invoke the former.

Just a few questions for you, in no particular order:

• What virus has infested your systems? Is it some esoteric new malware or is it old and well known? I'm guessing the latter.
  
  
• What was the transmission vector? Do you have network issues? Are people carrying around patient data (and malware) on USB memory keys?
  
  
• How many layers of security were breached or bypassed?
  
  
• Were affected systems fully up to date with patches to OS (Windows, at a guess) and related software products?
  
  
• Why do your users have privileges to install and/or run foreign code?
  
  
• Which systems are affected?
  
  
• What was the duration of service disruption?
  
  
• Has data been lost or compromised?
  
  
• Accepting your assertion that we have maintained a safe environment for our patients throughout the incident, how has service to patients been affected? We know that patient transport services at least have been hit.
  
  
• And finally, who will be sacked for failing to adhere to good security practices, still less best practice?

Internet fraudsters sell complete financial identities for just £80, according to an online safety group.

The details packaged and sold online include names, addresses, passport numbers and confidential financial data such as credit card numbers.

With six out of 10 people now managing finances online, experts say the public needs to do more to prevent e-crime.

So, how are these Internet fraudsters obtaining complete financial identities in order to offer them for sale?

A spam trapped by an anti-phishing rule a short while ago demonstrates just one of many possible avenues.

Dear Real Name,

PayPal Resolution Center: Your account is limited.

Why is my account access limited?

As part of our security measures, we regularly screen activity in the PayPal system. During a recent screening, we noticed an issue regarding your account:

Our system detected unusual number of invalid logging attempts [1] on you account from these Blacklist [2] ip address.

(Your case ID for this reason is PP-xxxxxxx.)

How can I restore my account access?

For your protection, we have limited access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause. In order to assist us with this security measure, we ask that you send us a photocopy or scan of one document from each of the three categories listed below and return them via email to [redacted@email.address] :

• A clear copy of your Passport, Photographic Drivers Licence or I.D. Card (both sides).
  
  
• A clear copy of both sides of the credit/debit card on your paypal profile.
  
  
• A clear copy of a recent bank statement or utility bill on which your name and address are clearly visible - less than 3 months old.

Completing all of the checklist items will automatically restore your account access [3]

Thank you for using PayPal! [4]
The PayPal an eBay Company [5]

-------------------------------------

Please do not reply to this email. This mailbox is not monitored and you will not receive a response [6]. For assistance, log in to your PayPal account and click the Help link located in the top right corner of any PayPal page.

PayPal Email ID PP-xxxxxxx.

This is clearly bogus, although intriguingly the miscreant here does already know his mark's real name and does not address him simply as Dear Valued Customer or Dear email address.

1. Invalid logging attempts? Somebody tried to cut down the wrong tree?
2. Does the sender mean blacklisted? In any case, he fails to list any IP addresses, blacklisted or otherwise.
3. Completing all of the checklist items may have altogether different consequences.
4. That word of thanks clearly requires the emphasis implied by the exclamation mark, but why only one?
5. The PayPal?
6. The email address which sent the email is of course not the one to which the mark is directed to forward his scanned documents. It is a real PayPal address which may be why replies are undesirable, at least from the phisherman's point of view.

I'm A Celebrity... Get Me Out Of Here! may not have started yet but Robert Kilroy-Silk is already favourite to be voted off first.

Chocolate orange, argyle jumpers, anything from Anne Summers...

Now there's a mental picture I just didn't need.

* OK, not really Prince Charles but John Culshaw does sound a lot like him.

One of the code execution vulnerabilities fixed in this month’s Microsoft Patch Tuesday release dates back to 2001 when it was first disclosed by Cult of the Dead Cow hacker Sir Dystic.

If that wasn’t cause for worry, get this:  An exploit for the bug — in the way that Microsoft Server Message Block (SMB) Protocol handles NTLM credentials — has been part of the Metasploit hacking tool since July 2007.

It is a very nasty bug and apparently Microsoft took so long to address it because closing the backdoor they had left open in the SMB authentication protocol would have broken existing applications which depend on NTLM authentication.

Which applications?

When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers’ network-based applications then inoperable. For instance, an Outlook 2000 client wouldn’t have been able to communicate with an Exchange 2000 server.

In fact the MS08-068 patch doesn't fully fix the problem. It merely eliminates one possible attack vector as described in the rather good write-up here.

The MS08-068 patch addresses this attack only in the case where the attacker connects back to the victim. The patch works by checking the received challenge key against a list of active keys that its own SMB service has issued. If the challenge key matches the list, the authentication process fails. This form of the attacker is described as "reflection" by the Microsoft SWI team. The Karmetasploit implementation uses this attack by default, providing remote code execution in any environment where Metasploit can influence the network of the victim (WPAD, WiFi, MITM, etc). This attack works great even in very isolated environments, such as an airplane full of Windows users at 30,000 feet.

Wi-Fi?

Airplane full of Windows users?

That sounds familiar.

OK. That fish is well and truly shot.

Over half of internet service providers believe that new threats could emerge with the deployment of the new Internet Protocol version 6 (IPv6), according to the latest annual worldwide Infrastructure Security Report from Arbor Networks.

The survey polled around 70 IP network operators across the globe, reporting a continued rise in smaller scale and more sophisticated attacks, including service-level and application targeted attacks, DNS poisoning and route hijacking.

It's all so clear now. IPv6 is less secure than IPV4, so that's why they can't implement it.

Mind you, these are the same people who haven't yet got round to patching their IPv4 only name servers against the Kaminsky flaw, so they may not be the best judges of what is secure and what is not...

See also:
Ruminations on a future IPv4 economy
Failing to plan is planning to fail
Don't Panic
From the Suspicions Confirmed department

Spammers are turning a profit despite only getting one response for every 12.5m e-mails they send, finds a study.

By hijacking a working spam network, US researchers have uncovered some of the economics of being a junk mailer.

The analysis suggests that such a tiny response rate means a big spam operation can turn over millions of pounds in profit every year.

It also suggests that spammers may be susceptible to attacks that make it more costly to send junk mail.

It seems that a group of researchers was able to infiltrate the infamous Storm bot net and to implement some methodology of their own in order to measure the activities of a small part the network and to extrapolate the likely scale of activity of the network as a whole.

This has been widely reported in more technical channels, too, but no reporter has dwelled for very long on this part of the story:

They created several so-called "proxy bots" that acted as conduits of information between the command and control system for Storm and the hijacked home PCs that actually send out junk mail.

The team used these machines to control a total of 75,869 hijacked machines and routed their own fake spam campaigns through them.

Just pause to let that sink in.

A team of researchers, whose intentions we must assume were entirely honourable, nonetheless took control of 75,869 "hijacked machines".

Those hijacked machines were computers belonging to 75,869 people, most of whom enjoy the protection of legislation which makes illegal the use by any third party of their computer without their permission, regardless of the motivation for such use.

In the UK we have the Computer Misuse Act 1990, and similar laws are in effect across all of Europe, the United States and further afield.

So, having broken the law in order to assess the activities of storm, do our researchers then come to any useful conclusions?

First, the Achilles heel of the research is briefly noted.

Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year.

And then, derived from a chain of logic beginning with this dangerous assumption:

The profit margin for spam (at least for this one pharmacy campaign) may be meager enough that spammers must be sensitive to the details of how their campaigns are run and are economically susceptible to new defenses.

Economically susceptible to new defenses?

What does that mean?

Sender pays?

One commentator briefly contemplates this before ruling it out.

My first thought was that the old idea of charging postage for email might be worth pursuing. At a conversion rate of less than $1 per hundred thousand emails, an e-postage rate of 1/100 of a penny per email would pose no burden on ordinary consumers, but break the economic back of spam. However, I quickly dismissed this idea upon realizing that since the majority of spam is sent by 'bots, it's the consumers who will be paying the postage, and not the spammers.

Quite right. And that's before you address the fundamental technical barriers to the implementation of any sender pays scheme.

No, the spammer is not as vulnerable as this research would have us believe, unless some effective means can be devised of taking down the bot nets.

This is the fundamental issue here.

No user or ISP feels any pain or has any other motivation to deal with bot net infection at source, and yet the technology which would allow an ISP automatically to quarantine a compromised customer has been available for years.

Just imagine. Within seconds of bot net activity starting at any connection the ISP could move the infected computer into a ring-fenced network with no access to any service other than a clean-up service operated by the ISP itself. The ISP could charge the customer for clean-up, covering the costs of providing the service and perhaps even making a small profit. Compromised computers would be kept off the network and would be sanitised instead of simply being left under the control of the bot herders.

But given the worthy but misdirected efforts of academics, the blind eyes of the regulators, the laziness of ISPs and the ignorance of their customers, is this a likely outcome?

Forget sender pays.

Spammer stays.

Link: Spamalytics: An Empirical Analysis of Spam Marketing Conversion

Viral video seeding company?

That's right out of the SEO school of interweb ethics.

Isn't the whole point of viral marketing that it happens serendipitously? That if you have a product or service worth talking about, then people will talk about it?

Doesn't commercially attempting to seed viral content actually run counter to the whole notion?

I won't be embedding the YouTube clip offered by that viral video seeding company here.

See also: SEO and link spam

IT is the modern, fastest and safest way to solve all your male problems.

I agree.

Men used to waste all of their spare time fiddling with old cars or motorcycles, getting their hands dirty and putting themselves at risk of serious injury through the injudicious use of power tools.

Not any more.

We just muck around with the latest Linux distro and try aimlessly to find drivers for some ancient * WLAN adapter, all in the comfort of our centrally heated home offices and well away from high voltages and rotating machinery.

IT is indeed much the safest way to assert one's manhood.

* Ancient means more than three years old, if you're using a non-MS operating system, or more than one year old in all other cases.