Spam now leverages social networks

I've been getting spam lately purporting to be from a former co-worker. Apparently they harvested her MSN Messenger list – it impersonates her hotmail account and sends to my work account.

This was probably due to a virus which hijacked MSN messenger, it's a notoriously problematic service: between the service outages, trojans and viruses, its usefulness is debatable. But even as Microsoft gets its security act together a decade too late, the attack is inevitably shifting someplace else.

With social networking sites asking for email passwords to "import connections", people respond quickly. After all, they say it's safe, and you can always change your password later (but you don't). As it has been pointed out, as an industry we've trained people to type passwords, and that's what they do – whether it's a good idea or not, and that's why phishing is so successful. But once they have your contact list they can keep that forever, and it's a wonderful tool for a spammer.

Facebook and Twitter are unlikely to misuse this data too egregiously, they are connected to real money and companies with reputations to protect. But Pownce, which is going out of business – what about their data? And tacky little utilities like Twitterank which spam your stream, you'd better believe they're warehousing your connections. And your private messages. And everything else. You can put these things together and draw meaningful conclusions about the people involved.

Science fiction has been talking about spambots impersonating your family and friends for years, but now it's happening for real, and expect to see a whole hell of a lot more of it. Expect to start seeing requests from friends and family, asking for money through new and unfamiliar websites (or even familiar websites that have been compromised). Expect increasingly strange and subtle requests: you may not even know what they're really trying to get you to do, or why. In short, this is going to get deeply weird, really fast.

Central authentication is coming, and here's a good reason why

Some interesting reading today on OpenID, Facebook Connect, and the dog's breakfast of authentication standards in the market:

Facebook Connect and OpenID Relationship Status: “It’s Complicated” – John McCrea of Plaxo

The authentication landscape appears to be coalescing. I think a lot of vendors will still want to have a "walled garden" ID scheme, but I'm inclined to think their customers will drag them kicking and screaming into a federated identity world.

I have a good reason to think so. People already use a dangerous form of single sign in: they use the same user ID and password across multiple sites. Some day soon an enterprising young script kiddie from Yemen is going to sit down and write a Distributed Identity Theft Attack that will plunder the databases of weak sites (like some forum that you don't even remember signing up for) to take possession of more valuable sites (like Facebook and LinkedIn) and then finally the holy grail (your email account, used to unlock everything else). Nobody, not even Bruce Schneier (by his own admission), has a different password for every site: at best, we have low, medium, and high-security passwords. But if you're using the same password everywhere, you're only as secure as the weakest site you visit, which means gold bars for the putative Yemeni banks.

Also, über-paranoid password complexity and periodic forced password change rules actually encourage people to use a password formula across different sites, and to change only the last character in a preset sequence. They're virtually assured to do so, because security training has taught people to never, under any circumstances, write down their passwords. So a dictionary attack will still work in most cases for the DITA outlined above – forty-seven variants isn't a lot to try, and most sites don't lock accounts for password failure.

So go change your online banking password right now, I'll wait. Don't forget PayPal, too. And Amazon, which holds your credit card info, as does iTunes.

So, we'll stumble along with our user ID (which is, often as not, the email address) and password (same everywhere) until the Russian Business Network strings together some Perl code and causes a smart-spam and bank fraud wave big enough to shake consumer confidence in the web. At the very least, consumers will learn not to trust websites with homegrown authentication. They'll pick one or two big-name vendors they trust.

Not one god-damned red cent for Wall Street

I'm just as deep in the stock market as anyone else is these days. After all, government policy has been urging employers to gut pension plans (remember guaranteed retirement benefits?) in favour of investment plans (with only a set contribution, but no guaranteed returns). So most of my retirement savings is tied up in the stock market, which is a risky gamble. I could lose it, but I wanted the big payoffs that stocks might provide, so I took a chance.

That's how the free market is supposed to work, right? Isn't that what Nobel-prize winner Milton Friedman said? Isn't that the ideology which has been ascendant in the US for the past twenty-eight years? If the banking industry isn't working miracles with all of those fantastic new financial instruments they've cooked up, and are in fact just building an elaborate confection that is collapsing on itself, why should we prop it up? It sounds like a huge proportion of the finance industry is doing things of no real economic value. They need a huge handout (plenty of which they'll pass back as "campaign contributions"), and if we give it they'll demand another huge handout in a year after they waste this one.

So fine, let my portfolio lose seventy-five percent of its value. Even ninety-five percent – we'll work it out. I'd rather spend a trillion dollars helping people in need than wasting it on more empty suits. Recessions are necessary: endlessly trying to apply the juice to extend a boom just makes the crash that much harder, and that's what we're seeing now. So let it go, and then we'll work out a more relevant (and possibly even less corrupt) financial system.

Bush said today the sky is falling so we've got to unlock the US Treasury with no questions asked and no accountability. He's the same guy that wanted to gut Social Security and put it all in the stock market! (Wow, too bad we didn't get to experience all of that great growth, huh?) First, we had to surrender all of our civil liberties because the terrorists were going to kill us all with box cutters. Second, we had to invade another country because they were going to nuke our balls. Now we're supposed to give an enormous birthday present to Wall Street because they blew our money on bear whores and cocaine. The man has no credibility. Fool me thrice: go fuck yourself.

Giving a huge payoff to this gang of crooks won't do a damned bit of good; it just encourages them to do it again. Write your senators and representative and tell them no. Maybe some regulation is in order. Maybe the banks need to be nationalized. Maybe mortgages need to be refinanced en masse. Maybe some depositors are going to lose their money (me included). So be it: when there is hell to pay, I'll pay it, but I won't pay one god-damned red cent in protection money.

Cheerleader of the Apocalypse

Peter Watts is one of the most delightfully pessimistic authors I've ever read. His breakout novel, Starfish, gave me temporary serotonin depletion before it energized me with vicarious grim satisfaction. The cozily hopeless ambiance of inescapable doom continued in the next three books of the Rifters trilogy (yes, it is a four-book trilogy, okay?), but evolved from a self-pitying wide-eyed hopelessness into a grimly enthusiastic, squinting near-nihilism which... somehow... strangely... never failed to lose hope. It is precisely my cup of tea, and I recommend it to anyone who is interested in the environment, natural disasters, biology, software, and the evolution of geopolitics. Mr. Watts is Canadian, and used to work at the Vancouver Aquarium, and many of the settings are familiar: Vancouver, Toronto, Sudbury.

His stories are grounded in real bioscience – and he provides wonderful notes and references in the appendices. Some of his pessimistic predictions about the timeline for weird bioscience, climate change and various enviro-disasters has been, if anything, optimistic.

"I thought I had years before this stuff caught up with me." _{(Footnotes to ßehemoth)}

His fourth (fifth) novel, Blindsight, is a deep-space adventure with a fun take on the nature of consciousness. And vampires. Good stuff.

All four (five) of his books (and many short stories) are available for free download on his site (which is awesome, shiny, rich & deep). I have donated twice to his tip jar (which he dedicates to the care and feeding of his cats); although I bought the books the first time I read them, I subsequently gave them away, but when wanted to read them again I could, so I really appreciate that he puts them online.

Google takes on payment processing

Analysts are billing it as a "paypal killer" but I think that's off the mark.

Being me, I have to search for an apt analogy: if this is a PayPal killer, then mammals were a coelecanth killer. Which is to say: I think Google has a bigger target in mind than Paypal, which is a small piece of the pie (which everyone hates anyhow). Instead they're taking on the banks, First Data, and (since the acquisition of Verus) Sage.

Let's see, add together Google Base, Google "office" (gmail, spreadsheets, etc), and now Google Checkout? That's starting to look like an ERP or NetSuite-type solution pretty fast.

And now, a cautionary tale:

In 1974, IBM created SNA (the Systems Network Architecture). They built something with the ultimate depth of (mainframe) functionality in preparation for the explosion they saw coming in computer networks. I picture the Big Bluers sitting around a conference table in Poughkeepsie, chainsmoking Pall Malls and saying, "by gilly, someday there could be as many as a thousand machines networked together! We must make sure we defend IBM's mainframe market share in that environment!"

SNA has disappeared from view. Sure, there must be a couple of SNA networks out there... coelecanths. TCP/IP and other smaller, more flexible network stacks were what carried us to where we are today. I once read that OSI (another dead network protocol stack) was a "mammal designed by a saurian committee."

When the climate changes species either mutate or become an evolutionary niche player. Reproduction doesn't cut it anymore.

Going down in flames

I remember the flame-retardant polyester flannel pyjamas I used to wear: they were so stiff they practically didn't bend. I used to take off the shirt because it was too uncomfortable, chafing my tender pre-teen flesh. At least I didn't burn to death. Heck, I probably could have used the shirt pocket as an ashtray. Since it was the 1970s, that was probably the design goal. At that point, Phillip Morris was trying to figure out how to get every child in America puffing away on cancer sticks while lying in bed.

So now we can add flame retardants to the long list of things we should worry about. Thankfully I'm too old for infant immunizations, and I don't wear pyjamas. I can't help eyeing my nonstick pans with some suspicion -- I'm not getting rid of them, though I won't be huffing them anytime soon.

So far we have a culprit for cancer, hyperactivity and ADD, birth defects, low sperm counts, and depression. Now I'm waiting for the bad news on fabric softeners, which I'm hoping will provide me with a handy excuse for my lack of discipline.