I'm going to be unable to update this blog until sometime in the New Year.

Distinguishing between a person signing up for a webmail account and an automated program singing up for an account is necessary to keep spammers off the webmail's systems. But it is a surprisingly hard thing to do.
Many of these systems were broken earlier this year when an unknown, enterprising, computer vision researcher developed code that could pass these tests and sold it to the writers of botnets. The webmail systems then changed their sign up procedure to make it more difficult for the botnets, but yet again the systems have been broken.
An excellent article shows a virus infected machine in the process of attempting to sign up fake accounts on Hotmail. This process happens quietly in the background while the user continues using their virus infected machine unaware that it is being controlled by professional criminals.

Solving security problems is not easy. Bad security systems can easily make a situation worse, it can easily impose a large cost burden and impose unnecessary work loads on users of the system without improving security at all. Like any problem, security problems are best resolved through careful considered thought, considering all the objections and things that might go wrong carefully and dutifully and coming up with a suitable solution of minimum cost that can have a measurable affect on a defined security problem.
Then there is the UK government's ID card scheme. Recently an expert in biometric recognition warned that the UK's ID card system would be unworkable. The problem is that fingerprints aren't different enough between individuals to uniquely distinguish many millions of people. Fingerprint identification works well if there are a dozen suspects for a crime, or to distinguish the hundred or so people who may try to access your computer, but it may not be good enough to uniquely identify one person in a population the size of the UK. Additionally, many people may not be able to give fingerprints due to their skin being too fine or dry.

The expert says:
"The use of fingerprints will cause deduplication to drown in false matches.
The government was badly advised by its internal scientists in the Home Office when it took the decision to base the biometric system on fingerprints"

The politician, Jacqui Smith, Home Secretary says:
"Because it is so exceptional, it is not going to be a problem that undermines the entire scheme."

Does anyone want to bet which one of the two statements will be proved right>

How often do you delve back into your email archives to pull out an old email to check on something you sent, or that someone sent to you? I'd guess not very often. Personally if I haven't revisited an email in the last 6 months its unlikely that I'll ever require it again. The vast majority of email that I receive I only read once. Yet I hardly ever delete old emails. They sit there consuming storage space. That in itself is an unnecessary cost, but if ever a court ordered a discovery process where every saved email had to be examined to see if it related to a certain subject then the costs would be very high indeed.
A recent article reports costs to be between $1 million to $3 million per terabyte of data. A terrabyte is a lot of data, however I calculate my own email storage to be in the region of 5Mb of email data per month. So a team of ten people is storing in excess of half a gigabyte of data per year. For larger companies this amount of data soon mounts up. Is it worth it? Will this data ever be used? Would it be better, more cost effective and would it actually reduce liability if it was simply deleted? Maybe companies should pay as much attention to their data deletion policies as to their data retention policies. After all, you can't store it all for ever.

Spam in my inbox is distinguished from legitimate mail by 'consent'. I have expressed my consent to various services to receive their email correspondance, such as newsletters. I'm even grateful to some services to receive news of their 'special offers' and pleased when I receive an email telling me that something that I was thinking of buying is at half price for this week. My friends and family also have my consent to send me email as an integral part of our relationship.
However, I have not given my consent to receive adverts about pills, cheap watches, or indeed degrees in radiology. These emails are spam. They have not been sent by anyone with whom I have a current relationship, nor have I given my consent to these people to receive these emails. This is how I know this is spam.
So its very surprising and worrying to read about the City of London Police's view on what constitutes 'consent' when it comes to network security. To cut a long story short, BT, a telecoms provided trialed a service that targets ads by analysing a user's network traffic. As far as I can tell, BT didn't inform the users of this, or actively seek their consent in the matter. When they found out, BT's users where up in arms about an invasion of their privacy and complained to the police. Reportedly, the police declined to prosecute, "</i>They said that there was no criminal intent on behalf of BT and that there was implied consent because the service was going to benefit customers.</i>" the BBC article says.
I understand the concept of guilty mind, BT did not trial this service with the notion that they were committing a criminal act which weighs in their favour. Its not necessarily an excuse, but an action is very different if it is conducted with the knowledge that it is illegal and liable to cause harm, than if the action is conducted in complete innocence. I do find troubling the notion that consent was implied since it was "going to benefit customers." Surely, the spammers would also agree. These pills will enhance your manhood and your life. This cheap watch will benefit your wrist. Consent is either given or it is not given. In the electronic world consent can be captured and stored in an auditable form to clarify any such matter. Inventing a concept of implied consent that applies in the electronic networked world seems to me very dangerous. Would society accept an accused rapist who's defense is that the victim implied consent because the attacker believed the victim might enjoy the experience? Adopting this concept leads to the conclusion that because you would enjoy health benefits from working, then I have your implied consent to take your car. It really doesn't work. Consent is either given and can be proved, or it is not given. There cannot be any half measures that apply to the networked world.

Some links to articles that I haven't had time to write about.

Creativity can thrive, if you keep the e-mail in check

Global Trail of an Online Crime Ring

Terminology

Russische Cyber-Ganoven attackieren Spam-Jäger

Hacker Launches Botnet Attack via P2P Software

Personal data is precious. Individuals don't like their personal information being in unknown hands or mislaid. Spammers and scammers love personal information, its how they send you spam and how they can earn their livings by abusing your identity. All too often its easy to forget the value of personal data when its in the form of a database dump or a spreadsheet file. Which is why its very easy to download the information to a USB drive, then loose it.
The cancellation of a £1.5 million contract with PA Consulting by the British Government due to the loss of a USB drive with ~100 000 personal details on it sends a very strong message to industry about the value of personal information. Would anyone store £1.5 million in cash in an office drawer then loose it? Unlikely, its time for attitudes to change.

The art of spam and malware filtering is to detect if something is 'odd'. Normal legitimate things do normal legitimate stuff. Evil, nasty things just look 'odd' or try to disguise themselves as being somehow 'normal' but end up looking worse.
Consider the Big Bad Wolf in Little Red Riding Hood, a large wolf roaming around a middle European forest, is normal. Possibly this is something to keep an eye on as a possible threat, but nothing particularly out of the ordinary. You may want to round up your sheep, make sure your small children play indoors, or even gather a stout stick and some rocks in case it comes too close, but it does not warrant too much thought or worry. However, a large wolf dressed in Grandma's clothing, attempting to imitate an old lady is a sign of something being distinctly wrong. Why would a wolf attempt to disguise itself unless it was up to no good? A wolf dressed as an old lady is time to call for help, grab the pitch fork and alert the other villagers. Something bad is going on, its time for defense.
Yet time and time again spammers think that adding a disguise is a good way to get past spam filters. Which is why this attempt to escape spam detection is so laughable. Replacing each letter by an XML entity may disguise the content of the email from simple inspection. Yet, by attempting to hide the content of the email the spammer is drawing attention to themselves as being up to no good. There are very few contexts in which I'd expect to see every character in an email expressed as an XML entity. If I see this, I don't need to do any deep analysis of the email content, I know I'm dealing with an email that it highly likely to be dodgy, and can treat it accordingly.

It seems that the UK ex-National HiTech Crime Unit has let its domain lapse. No doubt the domain was owned by the communications unit, who thought that since the organisation was rebranded the "Serious Organsied Crime Agency" with a shiny new website, the old domain was surplus to requirements.
The domain name might have been surplus, the website might not have been needed, but the domain would still attract email. Long after a domain has become defunct and all users migrated to a new domain, the old domain still gets sent email. The newsletters to which users had subscribed are still received. Friends and colleagues still use the old address, worse circulation lists have new addresses added, but don't remove the old addresses. The result is, a lot of private and confidential information still gets sent to the old domain.
If you no longer own that domain, all that information gets sent to the new owner who can do whatever they like with it. That is why it is pure folly to let your domain lapse, not only can someone impersonate you, but they get to read part of your email too.

Cracked.com's guide to spamming
here. Worth a read, its funny.