The Security Skeptic

To some, the answer posed in the title of this blog entry is, "Of course!" However, an FTC report written in 2003 claimed otherwise and that report has been cited repeatedly in discussions whenever the subject of uses and abuses of the WHOIS service is raised. My SSAC Colleague Ram Mohan and staff at Afilias conducted a study to answer this very specific question. His experiments demonstrate that email addresses that are made that are only publicly available via the WHOIS (i.e., not published nor used anywhere else on the Internet, for any purpose) and not otherwise protected by a registry or registrar service to prevent abuse or automated collection will likely receive spam.

The preliminary results of this study were presented during the ICANN meeting in San Juan. A PDF of Ram's presentation is available now. I am in the process of finalizing an SSAC report that explores the data collected during Ram's experiments in greater detail. I'll post here when that report is available.

Archived at http://www.securityskeptic.com/arc20070601.htm#BlogID625 by Dave Piscitello  

I wrote about some of the unsettling problems that domain name monetization poses for Internet users and how pages that offer no content except pay per click have re-shaped the PPC market in Blog #554. I'm now wrestling with the problem of detecting and pruning hyperlinks to PPC landing pages that are creeping into my many resources pages.

Before domain name monetization, a small web admin could periodically run a hyperlink checking software to identify, correct, or cull broken links, i.e., those pages that returned HTTP/404 errors. But how does a web admin detect cases where a domain name changes hands from a registrant who's content complements the content of the web admin's site to a landing page (or worse, a page with objectionable or embarrassing content)?

A study case at my site is my Security Library. For some time, I've listed Technotronic.com as an informative site for security practitioners interested in attacks, exploits, vulnerabilites, and forensic tools. In February 2007 this domain changed hands and is now registered to Domain Name Sales Corporation. Unfortunately, my customary hyperlink checks did not catch the change in registrant and I only detected this change by happenstance: I hadn't visited Technotronic for a while and wanted to see what was new. Fortunately, the parking page Domain Name Sales posts at technotronic.com is benign: while there is nothing remotely associated with Internet security at that page, there is fortunately nothing objectionable. (By the time you read this blog I will have removed this reference.)

My problem can't be unique. I have in excess of 2000 external links on my small site. I now need an inexpensive tool or method to not only check for broken links, but to identify links that have changed hands and content. I'd love some input from anyone who's coping with this problem and I'll post them.

Archived at http://www.securityskeptic.com/arc20070601.htm#BlogID624 by Dave Piscitello  

James Gaskin has written a fine article about the rising and questionable cost of putting Microsoft Office on every employee's desktop, when OpenOffice may more than suffice. Commenting on the F.U.D. that is often written to scare companies from open source - questionable origin, incompatibilities, no customer service and technical support, phantom product enhancement time lines - Jim bluntly states, "any company that automatically puts Microsoft Office on every computer wastes bags and bags of money" and then does the math to prove his point.

Rather than attempt to summarize an article I really encourage you to read, I'll provide this pointer - OpenOffice vs. Microsoft Office - and add my $.02.

OpenOffice is very powerful. The UI is familiar enough that most Office users should have no problem adapting to OpenOffice's menus, pulldowns and commands. I do this whenever Redmond blesses us with a new version of Office, don't you? I've encountered a few incompatibilities with Office documents, but nothing that dissuades me from using or recommending it. If you are worried about the origin of the code and support, you can buy StarOffice from Sun Microsystems for the small price of $75 per user. (If you're worried about product enhancements, then you need to find a life outside document preparation.)

If you think you'll have trouble weaning employees off Office, then try candy instead of a stick. By Jim's estimate, you will save $300-350 per user by substituting OpenOffice for Office. Offer your employees a choice: a standard Windows XP/Vista OS with MS Office installed *or* a standard Windows XP/Vista OS with OpenOffice installed and a $100 bonus for using Open Source.

Archived at http://www.securityskeptic.com/arc20070601.htm#BlogID623 by Dave Piscitello  

A woman interviewed following a debate among 2008 Republican Party candidates expressed her unhappiness with the way many of the Presidential hopefuls lashed out at President Bush, saying, "He's the sitting President and as long as he is in office he deserves our respect".

I take exception to this statement in so many ways I couldn't avoid posting a political rant.

• My high school wrestling coach taught me that no one deserves respect, but everyone must earn it. My son's coach told him the same thing. I'm glad to see this belief has endured and hope it's not only wrestlers who are taught this creed.

• An individual who occupies an elected seat in a democracy serves the people. The current sitting US President was elected, and it is clear that he earned the respect of a good percentage of the populace on several occasions during the course of his political career.

• Earning respect is not a "once and done" task. As a wrestler, you had to earn it every time you stepped on a mat. Americans expect no less than from their President; in fact, they are more demanding.

• While he may not have Presidential moments as frequently as many of his predecessors, many Americans believe he acted in a Presidential manner following September 11^th. So at one time, the sitting President earned respect.

• Public approval ratings in May 2007 indicate that fewer than one in three Americans approve of how the Bush administration is governing the country and that number could easily plummet to one in four by July. Whether you believe polls are fact or whimsy, you have to consider the possibility that the sitting US President is not earning respect at home and abroad.

Most Americans and more broadly, citizens in most countries, respect the office of the US President immensely. My experience (and embarrassment) when traveling internationally is that I find citizens of other countries fret more over what the sitting US President does and how he has acted during his term-and-a-half than a good many Americans.

People who have the privilege of living in a democracy should respect the office of the President. We should also be demanding and critical of any President who does not try to exceed our expectations every day, who acts with less than Presidential demeanor even (especially!) when dealing with members of the press who are intent on pushing his buttons; in short, a President who does not earn our respect.

One last point. We continue to call former US Presidents "Mr. President" long after they hold office. This means that US Presidents have a daunting task.

They must continue to earn our respect for as long as they live.

Archived at http://www.securityskeptic.com/arc20070601.htm#BlogID622 by Dave Piscitello  

One of the most commonly email harvesting methods used by spammers is spambotting, where automated software is used to search web sites and harvest email addresses. For a while, many folks tried to thwart harvesting by what I'll call @ avoidance, i.e., including an email address in a format such as user [at] domain. Spambots are now sophisticated enough to search for this and other permutations of email addresses.

If you must post your email address on web pages, a better method is to add CAPTCHA-based email protection. A CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) program creates a test or challenge a human being can correctly answer but that a spambot cannot. The most commonly used CAPTCHA technique is one where a user must type words that have been displayed, often in a distorted form. Another for, ESP-PIX, presents the user with a set of images and the user must identify an object that is common to the displayed set.

Some wonderful folks at Carnegie Mellon University provide a simple means to add CAPTCHA to your web site. Visit The reCAPTCHA Project to generate HTML to CAPTCHA-proect your email address. Enter your email address in the reCAPTCHA Mailhide form, cut-paste-customize the HTML, and include wherever you publish your email address.

For example, my blog pages no longer include mailto: HTML statements. Instead, I've included a hyperlink in my left navigation bar. Click on that link and you'll be challenged in this manner:

Answer correctly and you'll see

My email address is pretty much out in the wild, but I'm adding it on my site to illustrate a point and hopefully help others mitigate spam.

Archived at http://www.securityskeptic.com/arc20070601.htm#BlogID621 by Dave Piscitello