If you run Vista and you’ve allowed Java to update itself recently, you’ll be getting an infuriating dialog box every time you open a new browser window, including a new tab or a popup window, saying that unsigned code wants to run and that it can’t run in protected mode (the low-rights mode that Internet Explorer uses). The SSVAGENT.EXE referred to is Java’s update agent, which runs every time the browser runs - and Sun apparently can’t tell the difference between a new Internet Explorer process and a new tab running in the existing process.

If you actually use any Java applets, you may also get an error telling you there are several Java Virtual Machines running. 

It’s bad enough that Sun has, for at least the second time, put out software without a digital signature proving where it comes from, the most basic security check on code for the end user. It’s equally annoying that the suggestion from Sun is that you just click ‘Allow’ every time until the bug gets fixed in Java 6 Update 10 (’officially released later this summer’) and that Internet Explorer doesn’t let me say ‘Don’t ever allow this to run’.

But how about an update agent that runs every time you run your browser? That’s not very respectful of my resources, or my bandwidth. Other applications have periodic checks for updates and they only run when I’m not buys doing other things (Vista has an API for this, so even if you have umpteen different notification systems running, they can all find out when you’ve stopped to think or turned away to pick up the phone and do their updates, checks and maintenance without slowing you down). Why does Java need to check for updates so obsessively?

The Java control panel doesn’t think it needs to check that often; the default setting appears to be check monthly. So why does it hook into Internet Explorer to run the update agent all the time? Personally, I’m turning off the updater altogether, although that’s not a decision you’ll want all your users to take.

I can’t tell you exactly where the Java control panel hides itself; I couldn’t find anything in the All Programs list so I typed ‘Java’ into the search bar on the Vista Start menu and it offered me the Java control panel without having to dig for it. On the Update tab clear the check box for ‘Check for updates automatically’ and stick to your decision when Java asks if you won’t reconsider and click ‘Check Monthly’ instead because that’s the setting you started with. You may have to quit and restart Internet Explorer to prise Java’s hook out of the code and then you can go back to having browser windows open without a security warning that you train yourself to ignore.

That’s the problem with dialog boxes where it’s OK to just click yes, and one of the interface issues with Vista’s User Account Control. Any time there’s a dialog that’s in your way, the temptation is to click Yes just to get rid of it. Ask users if they want to do this unsafe thing, if they really want to, if they really really really want to and they’ll click Yes with less and less hesitation. Years of popups and confirmation dialogs have trained the user like a monkey in an experiment; click here and get what you want.

But you have to have confirmation for some things (Format C:? Record Battlefield Earth? Delete your wedding photos? Install an application just because you clicked on a URL?).

The real problem is that the PC has no idea of context or common sense; I navigated to the home page for the Kevtris game by typing in the URL, so when I click the download link and then click Run I really do want to install the game, but if I clicked an ad link in my email and it goes straight to installing a Trojan I really don’t want to. The PC has to leave intelligent decisions up to the user, and that means dialog boxes and confirmations when there’s anything that could be suspicious. Not remembering to sign the code for your application? That’s either suspicious, downright penny-pinching ($25 for a certificate) or shows you don’t have a good sign-off process for your developers. Either way, yes, I do want my browser to warn me about you.
-Mary

Imagine a second, simpler operating system on your PC with fixed features, so it’s more secure - after all, if you can’t add more programs you can’t add a virus either. It would have to start up quickly, so that Windows wasn’t waiting for it, so it would be ideal for listening to music and watching video. I’m not thinking about virtualization per se, although that’s one way to achieve something similar; this is two operating systems side by side, both with access to the PC hardware, but one of them does much more limited and circumscribed things.

Can you tell what it is yet?

No, actually, I’m not talking about Palladium - sorry, Microsoft Next Generation Secure Computing Base. That grew out of an attempt to reassure Sony that it would be OK to allow DVD movies to play on a PC without piracy becoming endemic and turned into a much more useful and visionary idea about using public key cryptography not to identify people but to secure machines. It would have been a good way to implement the DRM it was associated with in the public eye, though wouldn’t have forced it on anyone who didn’t want to run it. Palladium loaded a secure piece of software called the TOR that acted as a secure area that could only run trusted code (written to public APIs), where the apps would be invisible to the main OS - all secured by the machine-specific key in your TPM and some new technology from Intel. 

Ironically, trust was the issue with Palladium; nobody trusted Microsoft to either be building a secure system that didn’t impact on a very robust interpretation of free speech or if it was, to do it right. The smallest part of the concept made it in a couple of versions of Vista as BitLocker; whole disk encryption secured by the TPM.
But the Palladium concepts are showing up in a lot of other places, including the NSA’s Security Enhanced Linux and Citrix’s Security Enhanced Xen - a small OS that runs as a secure virtual machine with isolated applications, using the TPM and Intel’s new hardware virtualization technology …

Intel even uses the words Trusted Computing Base, which might be a hostage to fortune given the fate of Palladium. The DRM discussion hasn’t started yet, but there’s a trusted channel to the keyboard, mouse, memory - and the graphics subsystem, which is what some thought would allow copy-protected DVDs to be watched in the secure area of Palladium, without the option to copy them. This time around it’s more likely to be copy-protected downloads: killing off HD DVD has actually made Blu-Ray less likely to get mass adoption,  as player and disc prices stay high.

There are far more benefits to Palladium-style secure computing than protecting the movie industry or saving the banking industry from having to upgrade anti-fraud backends. You may keep your AV up to date and your company documents secure, but one in six of all PCs that touch the Google site has a bot and they’re all sending you spam.

And while the systems that look so much like Palladium that I get déjà vu are still a little way off, Asus is already selling machines with Express Gate. Granted, this is more like the embedded operating systems you see on a lot of media notebooks; it boots up in eight seconds and lets you see your photos and play your music. It has an Internet connection, so you can browse the Web without waiting for Windows. But it also uses the TPM in Montevina and you can treat it as an isolated operating system, says the press release: “Friends and family can use your notebook to nip online, use IM, listen to music, play and view without having access to your data, the system or the Windows environment.” Very Palladian.
-Mary

I’m guessing that most of you  have already emailed your MEPs with a message roundly condemning the stealth attempts to pass legislation that will allow media companies to disconnect ordinary people from the Internet permanently just for the suspicion that they may be filesharing.

If you haven’t may I join my voice to those urging you to do so? It won’t take long (thanks to the folk at MySociety.org) and it will help preserve your rights online as well as saving the small and medium sized ISPs that do so much to keep Internet access prices competitive. It’s that last bit that’s key to IT professionals - the measures that the legislation proposes are too expensive and complex for most ISPs to implement, which will mean you’ll be left dealing with with just BT and Virgin for your business internet access - and I can guarantee that your monthly connectivity bills won’t go down as a result…

Here’s my letter. Don’t send exactly the same one - it’s your thoughts and words that matter:

I am writing to you as a constituent asking you to exert whatever influence you have with members of the IMCO and IMTR committees of the European Parliament to vote against amendments 2, 3, 4, 5 and 7 that have been introduced into the Telecoms package.

These amendments were introduced under the influence of industry lobbyists whose interests are in the attempted maintenance of obsolete business models that have become unsustainable; not only that, but they are an attempt to subvert earlier rejection by Parliament of explicit legislation to the same ends. The proposed measures are disproportionate, unworkable in practice, violate privacy and personal data security and would lead to entire families being denied access to the internet through the presumed guilt of one member. The European Parliament has already voted against them - they should not be passed by hiding them inside other important and much needed legislation.

Not only are they disproportionate, putting the onus on ISPs to detect and implement the measures required by the amendments is both an unfair measure and technically unfeasable. Many UK ISPs are small or medium sized businesses, and do not have the funds required to invest in wholesale tracking of their users’ actions. The amount of work required to implement these measures is large, and the techniques complex. The only organisations able to do this will be the incumbent carriers, reinforcing what is a de facto monopoly by putting small ISPs out of business.

There is, in fact, no way of identifying the difference between legitimate and illegitimate traffic in the manner described in the amendments. Many users use the same tools that are used to download copyright violations to install Linux, or get updates from Microsoft. If the tools proposed by the legislation aren’t perfect these innocent users will be tarred with the same brush as anyone violating copyrights. Even if it is possible to determine the type of data being accessed, it’s impossible to determine the actual state of the rights associated with it, or the intentions of the rights holders.

Innocent users also face the risk of having their home networks hijacked by third parties without their knowledge - and losing access as a result of third party actions. I’m more technically aware than most people, but it still took several weeks for me to find that someone elsewhere in my street was using filesharing software over my wireless network. Most home users don’t have access to the tools or the skills to find and identify these situations, yet the proposed legislation will make them liable for whatever happens on their home wireless networks.

I’m a technology journalist by trade, but I come from a technical background and helped found one of the UK’s first national ISPs, and also helped build the online presences of many major high street brands. The Internet has provided a boost to the economy, and these measures will reduce access to the Internet and by closing down small ISPs will increase the costs to the very users the European online economy needs.

The committees are scheduled to vote on this package tomorrow, 7th July, and I urge you to do what you can to have these amendments rejected and, failing that, to vote against the package yourself should it be presented for a vote by the Parliament as a whole.

I’m sorry that I’m sending this message with less than 24 hours to go, but I only found out about this today myself: so please do what you can to prevent these egregious and dangerous measures being codified into European law and to ensure that the European Parliament continues to represent the interests of its electors, even where those conflict with the short-term advantage of multinational corporations and their lobbyists.

Yours sincerely,

Simon Bisson

Remember you have a voice and a point of view, and it’s one that deserves to be heard.

–Simon

You have no privacy, Larry Ellison said a few years ago; get over it. Is that because of governments and security agencies keeping track of you - or because of how much personal information you hand out yourself? If you want to break into someone’s bank account, most of the ’secret questions’ used for security are probably answered on their Facebook account. And how about the information you give away when you sign up for a special offer or fill in a survey?

If you don’t remember to go tick the box to say it can’t go to third parties, some marketing companies will happily pass along anything they know about your religious beliefs  (one in ten), ethnic background (one in seven) and sexual orientation (one in fourteen). And your mobile phone number and marital status… And if you don’t care who knows that, are you happy that one in four pass along your credit card details? Only 3% would hand over your national ID number if they had it - and they would keep secret your job performance, your biometrics - and possibly in light of the Facebook Beacon debacle, what movies you’ve rented.

These figures come from a survey done for StrongMail, an email delivery company, and show the difference you’d expect between data protection professionals believing customers should have more privacy than marketing professionals. But the real answer is if you don’t want something passed on, don’t tell anyone in the first place - because StrongMail’s figures also suggest two thirds of all companies have lost customer data somewhere along the line.

And make sure anything you’re passing on is something you’re supposed to know; according to Cyber-Ark’s survey a third of people who work in IT are happy to use the passwords they have access to for snooping on salary details, M & A plans, people’s personal emails and minutes of board meetings. And the passwords that protect anything that’s supposed to be secure? you know you don’t change them when someone in IT leaves. A third of admin passwords get changed once a quarter but nearly one in ten never get changed at all. If someone leaves in a bad mood, they can come back and check out personal customer details and company secrets any time they feel like remoting in.

If you want privacy for your own details or your company, it’s time to do something about it.
-Mary

For years, I’ve been saying that Google would be mad to build its own operating system. It should leave the thankless task to Microsoft and Apple and Linux distributions; you can debate how good a job they do, turn and turn about, but the scale of what a desktop OS needs to do and the range of devices it needs to support is far broader than what you need to do in a browser or on a smartphone. I still don’t think Google has any plans to create its own OS, but it’s pushing beyond the browser as a development platform with Gears and App Engine and the like. Microsoft has a whole range of platforms in the browser, out of the browser and around the browser, from Windows and WPF to Silverlight to SharePoint to Office to SQL Server – to name just a few of the platforms Bill Gates touched on in his last ever keynote at Microsoft TechEd this morning.

Silverlight is a lot of things, from Microsoft’s answer to Flash to Microsoft’s answer to Web based applications. Leave aside the video plugin side of it; the fact that Silverlight 2 (beta 2 due at the end of this week) runs .NET and programs written in dynamic languages on Mac and Linux as well as Windows is the most interesting part. And it’s not just for consumer Web apps; Facebook and Hotmail users aren’t happy with line of business apps in dreary basic grey when they get to work, and Silverlight is an easy way to spruce those up without slaving over a hot CSS schema for hours.

Adobe’s Air tackles much the same problem; how do you make powerful applications for the Web that work online and off, that look good and that work without installing anything (once you have the initial plugin or runtime). Air builds on Flex, so if you’re already writing Flash, you’ve got a head start. But there are a lot more .NET developers writing business apps, so although Microsoft demos consumer apps like the Crossfader social video sharing tool it talked about today, most Silverlight apps might show up at work, using Workflow Foundation and making data from SQL Server look good.

Silverlight is a subset of .NET and Windows Presentation Foundation, so developers are using familiar skills and Visual Studio plus Expression Blend for designers, who get to work on the live project, not in Photoshop mockups.  The visual development tools also appeal to disenfranchised Visual Basic developers who’ve been wondering what Microsoft has done for them lately….  Microsoft VP Soma Somasegar said Crossfader is being built by six developers and two designers in three months, which is more like Internet time than standard Microsoft time scales.

If Silverlight’s so good, why would anyone be creating Windows applications at all? Bill Gates finished his Q&A trying to balance that question. “Yes, you’ll be able to do amazing things in Silverlight, but there will always be things that you can do in Windows Presentation Framework that you can’t do in Silverlight. Why is that so? Well, it’s so because with WPF we get to assume we have the full power of the PC; we’re not just running in a browser environment. So, take things like 3D type things, virtual world type things, take things like ink recognition or playing video back at arbitrary speeds. WPF will, because it can connect in to all of Windows, expose those services and let people do new things.

“We need to keep the Silverlight download to be fairly modest. So, if you think of what that will be versus the entire Windows environment, we have a much bigger runtime to call on. So, we’re not saying that those get absolutely merged, but we will have exactly the right relationship. And even as you’re in Visual Studio or in the Expression tools, you’ll be able to say I want to author for the Silverlight piece and to let you know that if you’re sticking to the things that work in that world.

“Silverlight will probably have almost everything WPF has today, but WPF will keep getting richer and richer as we go forward.”

That’s the Microsoft dream and it’s one direction things could go. Google is pushing in completely the other direction. Last week at Google IO, Chris Prince and Aaron Boodman (better known as the designer of the Greasemonkey Firefox extension) were explaining why they don’t want you to think of Gears as taking Google applications offline. Yes it does that, but actually Google wants it to give Web apps to have access to all the capabilities of your PC the way desktop apps do. Why shouldn’t the browser get the power of your 2GHz processor and your 300GB hard drive? Why shouldn’t they be able to send you notifications in another window or show a progress bar? Why can’t you access USB drives from inside Gears or use a GPS to tell the Web app where you are?

Google filed its name off Gears so that it has more chance of becoming a standard, either as part of HTML 5 or by becoming ubiquitous as a plugin in its own right. Personally, I’m not going to be installing it on any machine I use.

It’s not just because it has no way to limit the amount of disk space it’s going to take for its local database (used by MySpace to give you search across the whole site without having to take up space on their data centre for those pesky index files). It’s only partly because it’s going to be able to use your GPS or other tools to get your location and there is currently nothing to warn the user and no options for choosing if and when Gears can get your location. Google seems committed to harmonizing with whatever standards HTML 5 includes for the things that Gears does, and I’m not the one who will have to detail with duplicate APIs from Gears and HTML 5 to do the same thing – that’s a problem for Web developers to juggle. And the fact that Web sites like YouSendIt already have real progress bars without needing me to download a plugin is a quibble rather than a complaint.

Mainly, I won’t use it at this point because of how Chris Prince explains why he thinks Web apps are so good in the first place. “Everything in the browser is inherently safe,” he said at Google IO. “There is no cost to install a Web app, you’re not afraid to click a link, and you can navigate away with no fear it will take over your machine.” Compared to the near-paranoia that’s is Microsoft’s attitude to the Web, from the phishing filter to the way IE doesn’t get the same privileges as a desktop app to the security-first attitude that permeates the company, calling the browser ‘inherently safe’ seems a little laissez faire to me.

Adding binary data files to JavaScript will certainly make for more powerful apps. Some of them might be Trojans; if Gears gets everything Google talked about that would be able to scrape files off a USB stick, record you talking with the audio APIs, add in your physical location and do whatever you can think of with it all, good or bad. If I’m not too busy playing with whatever features the Web app disguising the Trojan has I can navigate away from it – but if it’s using Gears to run offline, has it gone away?

The browser sandbox limits the features on my system that Web apps have access to. That’s a pain when you want to build a better app in the browser – but it’s a security measure if you want to build a better way of attacking my system. I asked Chris Wilson of the Internet Explorer dev team if I was being paranoid – he was the one who’d raised the issue about privacy with the GPS location in Gears at the end of the session. Maybe, he suggested - but with the number of security issues it raises, Gears isn’t going to be installed by default with IE any time soon…
-Mary

I find it easy to spot most of the phishing messages that hit my inbox, because there’s nearly always an egregious grammatical mistake in there somewhere. Real messages from banks may be full of logical errors (like a regular savings account with a headline rate of 7% that never tells you that actually it averages out nearer 4% because not all of the money gets to earn the high rate for the whole year), but the spelling is spot on.

And spammers are in such a hurry to put up the Web pages they want to earn ad money on, or use for drive-by downloads to increase the size of the botnet they use to spend most of the spam from zombie machines, that they often make stupid mistakes. If you’re checking 100 messages a day in your junk mail filter for anything real that got in there by mistake, I’m not sure if it’s any comfort to remember that spammers are only human. But Google finds it useful.

According to Matt Cutts of Google at Web 2.0, Web spammers often use templates and tools to build their pages. And fairly often they follow the commented-out instruction to ‘type your hidden text in here’ - but never delete that instruction. The tools they use to fill in forms are simplistic too; the captcha you have to complete to leave a comment here is enough to defeat most of them - but so is a box labelled email address with the instruction not to fill it in. When the bot adds whatever email address it’s abusing, you know you can just delete the comment. Simple maths or the instruction to type in a specific word are beyond bots - at least until Jeff Hawkins perfects Hierarchical Temporal Memory.

If you have a site, you need to think of things that raise the blood pressure of the spammers without doing the same to your users. It’s like being chased by any dumb but dangerous pack animal, says Cutts; you only have to run faster than the slowest person you’re willing to sacrifice. If your system is a little different from the default installation of whatever you use, the default attacks are less likely to work and the spammers may move on to slower prey.

Apart from the obvious advice to patch, patch and patch again, Cutts didn’t say much more - because every time you tell spammers how you’re spotting them, they get a chance to stop doing that. A lot of what Google knows about spam comes from the analysis it does of real Web pages, which lets it work out what things go together. If you know that timepiece and chronometer are synonyms for watch, those strangely-worded Rolex spams are easier to stop. You can see this classification in Google Sets and it’s used in Google Spreadsheets. The equivalent of Excel AutoFill does more than days of the week and months of the year, without you having to add the lists by hand; start with red, yellow and blue and Google Sets will add other colours. Start with lion, tiger, bear and you get other animals.

But you might also get wood, tin and cotton. That’s because Google Sets can’t always tell the difference between the list of animal names and the list of animal toys on the Web sites it looks at. It will learn; like spammers it will learn more quickly if someone tells it what it’s got wrong. But at this point, we get into a race between whether the anti-spam tools can learn faster than the spammers…
-Mary

How do you know you’ve been hacked? You may have a suspicion that someone’s inside your network, but if your log files don’t show anything, don’t assume that your systems are secure. The bad guys know all about standard compouter forensic techniques and have toolkits full of techniques and programs to cover up their traces. The computer security team at Verizon are finding that anti-forensics are used in more than 2/3 of intrusions.

One of the most common techniques is data wiping, used to reduce the evidence available to security analysts. Used in only 18% of cases in 1998, things are very different today, with data wiping used in 80% of cases. The popularity of data wiping can be seen by the sheer number of tools available on black file sites - with more available than all the other types of anti-forensic tools combined.

Luckily for us data wiping is not perfect, and even the best tools leave some files behind - especially when files have been locked or are still in use. It’s a good idea to think outside the box - often literally. Perhaps a backup has traces of the bad guy at work, or there may be traces of his tools and actions on a clustered storage array somewhere else in your data centre. And of course there’s the old forensic stand-by: running memory. A memory dump can show traces of running programs in old page files.

The next most popular technique is data corruption, closely followed by data injection. The aim here is to hide from your logging tools - or even make your log files unreliable. One technique is very simple, with intruders resetting system clocks to create a whole new log that can be deleted when they leave. If there unexpected holes in log files, there’s a distinct possibility that someone is changing your system clock. More complex techniques use tools to corrupt log files to cover up attacks, or to edit out an attackers actions.

One case Verizon worked on was a retail customer that was seeing unexpected charges on its credit card system. Nothing was found in the logs, but the Verizon forensic team was sure that something was happening, so they began to monitor the system.

A few days later a tripwire was triggered, and they were able to watch (and screen capture) someone from the credit processing vendor coming in to the network on a trusted connection. The attacker first changed the system clock to hide their actions, and then using the debug mode in the credit card software to steal transaction data. The security team watched the attacker tidy up after themselves, deleting the debug files. Finally the attacker reset the system clock and edited the system logs to replace their external IP address with an internal one. They’d only made one mistake, which was how the security forensics team was convinced that there was an attacker.

What was it?

The internal IP address they were using wasn’t actually assigned to anything.

It’s clues like that that you need to look out for when assessing a system to see if it’s been compromised. You know what makes your network tick, what addresses are in use, and what your system logs should look like. Vigilance is the only way you’re going to be secure.

In the immortal words of Hill Street Blues: Be careful out there.

– Simon

Security theatre is what security expert Bruce Schneier calls measures designed to make us feel safer that don’t actually make us any safer at all. He discussed the positive effects of this at the RSA conference this week; flying is one of the safest forms of transport and if having to take off your shoes and abandon your bottle of water make you feel that airport security is good enough to catch terrorists and you fly rather than taking a more dangerous method of transport, then the security theatre has made you more secure.

Here’s another paradox. Too much security makes you insecure. If someone in your company is emailing customer information to their Gmail account and copying market forecasts to their laptop and keeping old price lists for months after they’re out of date, it’s more likely that they’re just trying to get their job done on the road than that they’re stealing data to pass to a competitor - and that you didn’t give them a better way to do it. Make it impossible to do my job securely and I’m going to break or bypass your security so I can actually do my job.

The wireless network at the RSA conference was a good example of this. It was secure. Very secure. So secure that without the five pages of instructions I didn’t manage to get connected, and I didn’t meet anyone else at the conference who managed it either. If I’d wanted to hack into the laptops of anyone at the show, I wouldn’t have tried to steal them. I’d have set up an open free wi-fi connection on the show floor and everyone would have connected to that instead, giving me a great opportunity to see anything that didn’t go through a VPN.

Hugh Thompson of People Security has a good grasp of security and security theatre; you’ll have seen him if you watched Hacking Democracy, the documentary about the security problems with voting machines. He closed the conference with a chat show that ranged from a funny song about SQL injection (not a very funny song, but still) to Eric Drew’s tale of having his identity stolen by a lab technician at the hospital where he was being treated for leukemia and tracking the man down himself (a story Drew makes funny in the retelling that would have been a tragedy if he wasn’t in remission).

Thompson had a semi-serious conversation with Bill Cheswick, co-inventor of the firewall. Cheswick jokingly referred to malware as a “denial of spare time attack” that at least means you spend time with the family and friends who ask you to fix their computers. He was also slightly tongue in cheek when he said that he hadn’t used a firewall in a decade because he wants to use a secure computer instead; “it’s that whole crunchy outside, chewy centre thing; now we have much bigger liquid centres and once you’re past the outside you have access to everything.” But Cheswick also had some serious predictions to finish off Thompson’s security cabaret.

• “IPV6 has been three years away for the last 15 years. We’re finally approaching it - so all those firewall rules are going to need redoing. That will be fun…”
• “More attacks are going to come in through the browser so it may not matter so much what that the OS underneath is. You go to the wrong page, or the right page that has the wrong advertising agency - you did the right thing on your site but the other guy got hacked. To deal with that there’s going to be more sandboxes. I want users to be able to do everything online. I want them to run free in a sandbox. I used ASCII email for twenty years. ASCII email is safe but you want to be able click on the pictures.”
• “Computers are going to get better. We’re in the barnstorming era now. We’re going to look back and say ‘remember when you had to be careful about what you clicked on?’”.

There’s a shadow economy that’s bigger than you can imagine, and it’s the engine that’s driving the spam that’s flooding your inbox. That’s the message from RSA 2008 in San Francisco, where security experts are debating the shape of tomorrow’s threats.

In a panel on understanding the online criminal ecosystem, expert spamfighters sat down and told the world what they knew about the world of spam. The days of the green card lawyers flooding Usenet newsgroups are long gone. The target now is the web, and email is the tool of choice. It’s email that brings new customers to the spam networks, it’s email that entices the new money mules, and it’s email that lets spammers build their hidden bot nets.

Botnets are the heart of the criminal ecosystem, running spam web sites, sending out messages, and acting as a shadow network of stolen CPU cycles and network bandwidth. They’re even acting as web servers, fastfluxing web sites across the network so they avoid the packet scanning radar of the ISPs. The domain names they use are real, as are the DNS servers. While most domain name services are legitimate, there are some smaller registries that get much of their business by providing domain name services for spam networks.

Bots also reduce the costs of running a spam network, as they mean online criminals do not own the infrastructure. Instead they’re using stolen cycles on their bots, and have no infrastructure to be confiscated by law enforcement.

It’s a very profitable business. Spam advertising makes money (often selling real products through the networks’ own fulfilment houses), and bots are also used to steal credit card data and user’s identities. There’s a lot of money to be made from sealing stolen credit cards, especially if account access comes with the card. Botnets can also be used to manage and distribute adware and spyware, or run DDOS extortion attacks on gambling sites.

Spammers have learnt from legitimate online businesses, and now many run like Google’s or Amazon’s affiliate programmes. These allow spam networks to expand quickly – and also allow the network operators to hide in the background. Larger networks mean more revenue, and even though the cash has to be shared, it’s a business model that makes a lot of sense.

There’s a reason why spam has moved from Florida to Eastern Europe. It’s a lot easier to make money from cybercrime than from the standard economy if you’re anyway technically inclined. There are several folk out that the panel called the “Bill Gateses of Cybercrime”, with a mix of skills in both code and business. They’re the people who’ve built this new ecosystem – which includes a lot of specialised skills and services.

One example was a pump and dump stock scammer, who was playing both sides of the game and making money on the stocks he was spamming as well as from the stock owners. He began by using spammer chat rooms to recruit people to infect computers to spam through, paying for their services per infected computer. The result was a market for networks of hacked computers to spammers. The pump and dump scam itself is an old one, and it turns out that the people running Internet pump and dump scams had been running them by mail for years. It’s a new way of doing an old business.

Stock scams are important, but they don’t get into the news. A group of hackers that were in keystroke logging business decided to go bigger, and go after where the data existed. They ended up designing attacks on the middle tier of businesses, entities that are processing financial transactions like retailers and small credit unions. Even though there are standards for working with encrypted data, there’s often a flaw, as data often transits the network in the clear. The result has been 30 significant data breaches in the last two months, with the criminals getting entire caches of credit card data – data they can use to remanufacture and use the cards.

Pharmacy spammers are probably the most visible, and they’re making a lot of money – over $150 million a year. They’re even selling real drugs… If you want to sell Viagra online, all you need to do is go to one Russian organization. It will spam you a pharmacy site, taking care of everything from  credit cards processing, to web sites and to shipping.

There’s something more worrying too. It turns out that there’s even a shadow technology journalism out there, with people reviewing these services. Does that mean that there’s even a shadow IT Pro out there?

Way back when consumer digital maps were new, I went in to see the Dorling Kindersley World Atlas on DVD. We were looking at the California map and I wanted to see where the Apple headquarters were. I said ‘Cupertino’ and the helpful PR said ‘OK but I thought we could finish the demo and then have lunch’. We looked at each other blankly for a little while; they’d heard a rather curt ‘cup of tea now!’ rather than a place name. Even if you know you’re talking about location, there’s room for error. When you put San Jose into Dopplr, you get 25 places, none of them in California.

Fire Eagle - Yahoo’s new location service, which will act as a universal broker between location services like the Loopt system Google Maps uses on mobile phones and services like Dopplr - is trying to be smarter about identifying what you type. It knows that Grand Canyon is a place. And if my GPS has sent one location and I’m typing another in on the Web, it doesn’t just take the latest update.

It knows that my GPS co-ordinates in Campbell are actually inside the better-known San Jose area, so it can pick the most accurate designation. But if the last place my GPS knew I was before the batteries ran out was 60 miles away in Southern San Francisco, Fire Eagle will say I’ve moved on.

As a geek, I’m delighted. I’ll have much more chance of having an interesting conversation if a friend can see I’m not just in California but in San Francisco, not just in San Francisco but at the Moscone Center, not just at Moscone but leaving the press room and heading for the West Hall. I want the friend travelling from New Zealand for the Web 2.0 conference to know exactly where I am. I want my editor to know pretty well where I am, although if I’m interviewing a source in the bar rather than writing up copy in the press room I might want a fudge factor of 50 feet. My sister wants to know which state and maybe which city I’ll be in. The PR person trying to reach me probably only needs to know which timezone I’m in.

But do I want every Facebook user - including the burglar who’s spotted we look at a lot of new smartphones - to even know I’m out of the office? My personal blog is more likely to have a photo of the drawer unit I decoupaged at the weekend than of the drawer unit in place, with two monitors and a scattering of mobiles on it, for much the same reason; or if it has the more revealing image, I’ll be limiting it to ‘friends and family’ via settings on Flickr and LiveJournal.

Actually, of course, I’ll have to do both, as the two sets of identities don’t match up. If LiveJournal users annoyed at the way the new Russian owners of the site have handled introducing adverts on all free accounts migrate to other services, it will be even harder to include the people I want to publish to, because the only cross-site identity that’s really in use is OpenID and it’s not ready for primetime.

For one thing it’s not supported by every site (or even a large proportion of them), and there’s a mix of support for the older, less secure OpenID 1.1 and the newer, stricter OpenID 2. And even with the newer, stricter OpenID 2, OpenID isn’t secure; it’s vulnerable to attacks from either end of the connection, and the middle - that’s because it’s little more than a simple, lightweight way of saying ‘that URL over there? It’s me, that is’.

It doesn’t say what the URL you’re pointing at is, only that it’s some URL that supports OpenID. Mary.WeHackYouForMoney.com is a valid OpenID (well, it would be if I paused to register the domain and set up the OpenID code).

Open ID is good for the simplest of single sign-on systems (for more complex enterprise SSO, take note that IBM just bought Encentuate). It lets me say, without an API, that the me on Facebook is the me on Flickr, LiveJournal, LinkedIn and so on (because I have to tell each site to accept the OpenID request from the next one, so I must have the username and password to get into each previous account).

Anil Dash of Six Apart (former owners of LiveJournal) mentioned to me at Etech 08 that several large customers (for values of large enough to run Oracle)  are using Open ID for employees and partners so they can prove they work for the company in online discussions. Proving identity is a nice idea; but Open ID just proves they have access to a domain that sounds about right. To have an Internet-wide identity system that will let me choose friends  across a mix of sites and services, there’s going to have to be something a little stricter, like SAML, WS-Federation.

Identity systems like Higgins, Bandit and Microsoft CardSpace could all work together to let me pick an information card with the information I want to assert about myself and an identity provider I want to have back it up. Then you’d know that Experian says I’m on the electoral role and IT Pro says I’m a writer here - and when you choose to let me see where you are in the world you’d know who you were showing your itinerary to.

And if you’re still expecting CardSpace to make the same mistakes as Passport and pass your details on from every site using it to Microsoft… About the same time IBM bought Encentuate, Microsoft bought Credentica; not so much for the UProve software as for the maths behind it. This is a provable protocol that lets you outsource information provision without letting the information provided out of your system. Instead of boning up on CardSpace and SAML, you could say to your usual IT consultancy ‘bill me for a CardSpace system that proves my employees work here’. The information provider would assert that your CTO was your CTO, but it would never get his name to pester for a new contract. The information provider wouldn’t see my travel dates or my list of who I count as a friend. Identity, location - and a bit of privacy.
-Mary