Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

August 30 2013

NSA-proof your e-mail in 2 hours | Sealed Abstract

NSA-proof your e-mail in 2 hours | Sealed Abstract
http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours

Mode d’emploi pour installer toute la pile #postfix #dovecot #dspam etc, en deux heures. Bien sûr il suffit qu’une seule de ces lignes t’échappe et ton mail est rejeté, supprimé, se balade dans la nature…

#email #selfhosting via la liste #caliop

August 21 2013

L'e-mail est-il mort ? La surveillance inévitable ? Voici le Projet caliop

L’e-mail est-il mort ? La surveillance inévitable ? Voici le Projet #caliop
http://www.caliop.net/lemail-est-mort-la-surveillance-inevitable-presentation-du-projet-caliop

Le projet Caliop a pour objectif de fournir des outils et une plate-forme de courrier électronique dans lesquels l’utilisateur pourra avoir confiance, la confidentialité des communication étant garantie dès la conception. Les révélations autour de #prism ayant montré que l’utilisateur ne peut avoir confiance dans les services tels que #gmail dont le modèle économique repose sur la publicité, et suite à l’arrêt récent de différents services de courrier électronique sécurisés, Caliop veut repenser (...)

#email

Reposted bycheg00 cheg00

August 10 2013

Lavabit's Ladar Levison : 'If You Knew What I Know About Email, You Might Not Use It' - Forbes

Lavabit’s Ladar Levison: ’If You Knew What I Know About Email, You Might Not Use It’ - Forbes
http://www.forbes.com/sites/kashmirhill/2013/08/09/lavabits-ladar-levison-if-you-knew-what-i-know-about-email-you-might-not-use

“This is about protecting all of our users, not just one in particular. It’s not my place to decide whether an investigation is just, but the government has the legal authority to force you to do things you’re uncomfortable with,” said Levison in a phone call on Friday. “The fact that I can’t talk about this is as big a problem as what they asked me to do.”

#statesurveillance #lavabit #email

August 09 2013

Cloud, Lavabit, Vertrauen: Wie Überwachung das Internet verändert

Während der Überwachungsskandal um Prism, XKeyscore & Co. noch nicht abgeklungen ist, wird bereits deutlich, dass er auch die Internetwirtschaft, das Angebot an Diensten und die Architektur des Internets deutlich verändern könnte. Einige Links zu den jüngsten Entwicklungen:

US-Cloudanbieter befürchten Verluste

Eine Studie des Thinktanks Information Technology & Innovation Foundation (ITIF) prognostiziert für US-Cloudanbieter – etwa Microsoft, Google oder Amazon – Umsatzverluste von 21,5 Milliarden Dollar in den nächsten drei Jahren. Im Ausland könnten die US-Anbieter Marktanteile zwischen 10 und 20 Prozent einbüßen, folgert die Untersuchung, die unter anderem auf Umfragen des Branchenverbands Cloud Security Alliance basiert.

Besonders europäische Konkurrenten für US-Dienste hätten „die Chance erkannt und werden versuchen, sie zu nutzen”, hält der Bericht fest. Die ITIF fordert von nun von der amerikanischen Regierung, Informationen über das Prism-Programm offenzulegen und Unternehmen zu erlauben, ihre Nutzer stärker über Anfragen staatlicher Stellen zu informieren. Auch im derzeit verhandelten transatlantischen Freihandelsabkommen sollten „Transparenzerfordernisse” für US- und EU-Unternehmen verankert werden.

Maildienst Lavabit schließt demonstrativ

Für kleinere Anbieter, die besonderen Wert auf Datensicherheit und Verschlüsselung legen, ist der Überwachungsskandal eine unerwartete Chance. Zugleich zeigt sich, dass gerade sie nur wenig Gewicht einbringen können: Der verschlüsselte E-Mail-Dienst Lavabit hat am Donnerstag seinen Betrieb eingestellt. Über die Hintergründe lässt sich nur spekulieren, denn bis auf eine Erklärung auf der Website des Dienstes ist bislang nichts Genaueres bekannt.

Lavabit-Gründer Ladar Levison schreibt in drastischen Worten, er habe vor der Wahl gestanden, sich an „Verbrechen gegen das amerikanische Volk zu beteiligen” oder den Dienst zu schließen – Details dürfe er nicht bekannt geben. Edward Snowden soll den Dienst während seines Aufenthalts im Moskauer Flughafen genutzt haben, US-Behörden könnten sich seitdem besonders für Lavabit interessiert haben.

Levison rät schließlich sogar ganz von US-Diensten ab:

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.

Auch „Silent Circle” macht E-Mail dicht

Als Folge der Lavabit-Schließung hat der Anbieter Silent Circle heute ebenfalls seinen E-Mail-Dienst eingestellt. Cheftechniker Jon Callas, ehemals Mitentwickler der PGP-Verschlüsselung, erläutert die Entscheidung in einem Blogbeitrag. Wegen der starken Nachfrage habe man bislang auch einen E-Mail-Dienst angeboten, das aber müsse man nun revidieren.

Im Vergleich sei E-Mail grundsätzlich kein sicherer Kommunikationsweg mehr:

Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure.

Callas verweist in seinem Posting auf Lavabit, stellt jedoch fest, man habe keine Datenforderungen von staatlichen Stellen erhalten.

Vertrauenskrise für Diensteanbieter

Eine bemerkenswerte Antwort auf die Frage, welchen Anbietern Nutzer noch vertrauen können, hat der Sicherheitsforscher Bruce Schneier in einem Beitrag für CNN gegeben:

The truth is, I have no idea. No one outside the classified government world does. I tell people that they have no choice but to decide whom they trust and to then trust them as a matter of faith.

Keine guten Aussichten für Nutzer. Immerhin: Die Internet-Vordenker und -Pioniere sind noch überwiegend optimistisch. „Der Kampf um die Kontrolle – und die Seele – des Internets hat gerade erst begonnen”, schreibt etwa Jeff Jarvis.

July 08 2013

May 16 2013

Four short links: 16 May 2013

  1. Australian Filter Scope CreepThe Federal Government has confirmed its financial regulator has started requiring Australian Internet service providers to block websites suspected of providing fraudulent financial opportunities, in a move which appears to also open the door for other government agencies to unilaterally block sites they deem questionable in their own portfolios.
  2. Embedding Actions in Gmail — after years of benign neglect, it’s good to see Gmail worked on again. We’ve said for years that email’s a fertile ground for doing stuff better, and Google seem to have the religion. (see Send Money with Gmail for more).
  3. What Keeps Me Up at Night (Matt Webb) — Matt’s building a business around connected devices. Here he explains why the category could be owned by any of the big players. In times like this I remember Howard Aiken’s advice: Don’t worry about people stealing your ideas. If it is original you will have to ram it down their throats.
  4. Image Texture Predicts Avian Density and Species Richness (PLOSone) — Surprisingly and interestingly, remotely sensed vegetation structure measures (i.e., image texture) were often better predictors of avian density and species richness than field-measured vegetation structure, and thus show promise as a valuable tool for mapping habitat quality and characterizing biodiversity across broad areas.

April 24 2013

Four short links: 1 May 2013

  1. Pin: A Dynamic Binary Instrumentation Toola dynamic binary instrumentation framework for the IA-32 and x86-64 instruction-set architectures that enables the creation of dynamic program analysis tools. Some tools built with Pin are Intel Parallel Inspector, Intel Parallel Amplifier and Intel Parallel Advisor. The tools created using Pin, called Pintools, can be used to perform program analysis on user space applications in Linux and Windows. As a dynamic binary instrumentation tool, instrumentation is performed at run time on the compiled binary files. Thus, it requires no recompiling of source code and can support instrumenting programs that dynamically generate code.
  2. Lasers Bringing Down Drones (Wired) — I’ve sat on this for a while, but it is still hypnotic. Autonomous attack, autonomous defence. Pessimist: we’ll be slaves of the better machine learning algorithm. Optimist: we can make love while the AIs make war.
  3. Advice on Rewriting It From Scratch — every word is true. Over my career, I’ve come to place a really strong value on figuring out how to break big changes into small, safe, value-generating pieces. It’s a sort of meta-design — designing the process of gradual, safe change.
  4. Creating Gmail Inbox Statistics Reportsshows how to setup gmail to send you an email at the beginning of each month showing statistics for the previous month, such as the number of emails you received, the top 5 to whom you sent email, the top 5 from whom you received email, charts on your daily usage.

April 16 2013

Four short links: 16 April 2013

  1. Triage — iPhone app to quickly triage your email in your downtime. See also the backstory. Awesome UI.
  2. Webcam Pulse Detector — I was wondering how long it would take someone to do the Eulerian video magnification in real code. Now I’m wondering how long it will take the patent-inspired takedown…
  3. How Microsoft Quietly Built the City of the FutureThe team now collects 500 million data transactions every 24 hours, and the smart buildings software presents engineers with prioritized lists of misbehaving equipment. Algorithms can balance out the cost of a fix in terms of money and energy being wasted with other factors such as how much impact fixing it will have on employees who work in that building. Because of that kind of analysis, a lower-cost problem in a research lab with critical operations may rank higher priority-wise than a higher-cost fix that directly affects few. Almost half of the issues the system identifies can be corrected in under a minute, Smith says.
  4. UDOO (Kickstarter) — mini PC that could run either Android or Linux, with an Arduino-compatible board embedded. Like faster Raspberry Pi but with Arduino Due-compatible I/O.

March 27 2013

Four short links: 27 March 2013

  1. The Effect of Group Attachment and Social Position on Prosocial Behavior (PLoSone) — notable, in my mind, for We conducted lab-in-the-field experiments involving 2,597 members of producer organizations in rural Uganda. cf the recently reported “rich are more selfish than poor” findings, which (like a lot of behavioural economics research) studies Berkeley undergrads who weren’t smart enough to figure out what was being studied.
  2. elephanta HTTP key/value store with full-text search and fast queries. Still a work in progress.
  3. geary (IndieGoGo) — a beautiful modern open-source email client. Found this roughly the same time as elasticinbox open source, reliable, distributed, scalable email store. Open source email action starting?
  4. The Faraday Copter (YouTube) — Tesla coil and quadrocopter madness. (via Jeff Jonas)

November 27 2012

U.S. Senate to consider long overdue reforms on electronic privacy

In 2010, electronic privacy needed digital due process. In 2012, it’s worth defending your vanishing rights online.

This week, there’s an important issue before Washington that affects everyone who sends email, stores files in Dropbox or sends private messages on social media. In January, O’Reilly Media went dark in opposition to anti-piracy bills. Personally, I believe our right to digital due process for government to access private electronic are just as important.

Why? Here’s the context for my interest. The silver lining in the way former CIA Director David Petraeus’ affair was discovered may be its effect on the national debate around email and electronic privacy, and our rights in a surveillance state. The courts and Congress have failed to fully address the constitutionality of warrantless wiretapping of cellphones and the location of “persons of interest.” Phones themselves, however, are a red herring. What’s at stake is the Fourth Amendment in the 21st century, with respect to the personal user data that telecommunications and technology firms hold that government is requesting without digital due process.

On Thursday, the Senate Judiciary Committee will consider an update to the Electronic Communications Privacy Act (ECPA), the landmark 1986 legislation that governs the protections citizens have when they communicate using the Internet or cellphones. (It’s the small item on the bottom of this meeting page.)

If you somehow missed the uproar online last week, the tech policy world went a bit nutty when CNET’s Declan McCullagh broke a story about Senator Patrick Leahy (D-VT) rewriting the text of his ECPA amendment.

By the end of the day, Senator Leahy said he would not support that proposal, but what the draft reflected is pressure from law enforcement and federal regulatory agencies to not only keep warrantless access open but to enshrine it in law.

Today, Senator Leahy’s office posted a manager’s amendment and summary of changes for the committee’s consideration.

“The manager’s amendment is vastly improved, as compared to the controversial one last week,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology and the director of its Project on Freedom, Security & Technology, in a phone interview.

“We support the manager’s amendment, and will support the bill,” he said. “It will establish a clear, consistent standard for law enforcement access to content. It will require a warrant going forward. This is a huge improvement over current law and will bring ECPA into the modern age.”

In a post on the amendment at CDT.org, Nojeim reiterated CDT’s support. “It will protect consumer privacy, remove the uncertainty law enforcement currently faces, and foster the growth of U.S. cloud computing companies, which will be able to promise their clients that the information they store in cloud will be as secure against government access as information stored locally,” he wrote.

Verify, then trust

This week, the senators on the Judiciary Committee are likely to continue be under some pressure to suggest changes to this amendment that would weaken the protections in it. The manager’s amendment already contains some concessions to law enforcement, with respect to extending the time periods after which the federal government must notify an individual that government has obtained electronic communications, or that a service provider must wait to inform that individual that those records have been obtained.

There’s also clarity that the search warrant requirement in this amendment does not apply to federal anti-terrorism laws, specifically the Foreign Intelligence Surveillance Act (FISA).

“We believe that they’ve kept the central protection in the manager’s amendment, that law enforcement must obtain a warrant to read private communications or digital content, such as documents stored in the cloud,” said Chris Calabrese, legislative counsel for the ACLU, in a phone interview. “That’s a huge privacy win, and we’re glad to see that that’s stayed in.”

Senator Leahy’s statement, however, does leave room for debate:

“I welcome the upcoming Senate Judiciary Committee debate on updating the Electronic Communications Privacy Act (ECPA) to better protect Americans’ digital privacy rights. Today, this critical privacy law is significantly outdated and out-paced by rapid changes in technology and the changing mission of our law enforcement agencies.

“When I led the effort to write the ECPA more than 25 years ago, no one could have imagined that emails would be stored electronically for years or envisioned the many new threats to privacy in cyberspace. That is why I am working to update this law to reflect the realities of our time and to better protect privacy in the digital age. I join the many privacy advocates, technology leaders, legal scholars and other stakeholders who support reforming ECPA to improve privacy rights in cyberspace. I hope that all members of the Committee will join me in supporting the effort in Congress to update this law to protect Americans’ privacy.”

The other side of the issue is represented by a diverse coalition of digital rights advocates that spans traditional ideological labels. Notably, Americans for Tax Reform and the American Civil Liberties Union (ACLU) agreed that electronic privacy deserves a bipartisan upgrade.

The coalition is urging people to go to VanishingRights.com to tell their senators to support warrants for personal electronic communication.

I think they’re on the right side of history.

May 08 2012

Four short links: 8 May 2012

  1. Gmail Vault -- app to backup and restore the contents of your gmail account. (via Hacker News)
  2. Leaving Apps for HTML5 (Technology Review) -- We sold 353 subscriptions through the iPad. We never discovered how to avoid the necessity of designing both landscape and portrait versions of the magazine for the app. We wasted $124,000 on outsourced software development. We fought amongst ourselves, and people left the company. There was untold expense of spirit. I hated every moment of our experiment with apps, because it tried to impose something closed, old, and printlike on something open, new, and digital. (via Alex Howard)
  3. Your Two Weeks of Fame, and Your Grandmother's (PDF) -- researchers mined 20C news articles to see whether shrinking news cycles caused briefer fame. Instead they found duration of celebrity is largely steady across the entire century, though depending on how they measured celebrity they could sometimes see changes in the duration with the most famous. (via Google Research)
  4. Dan Pink's Travel Tips -- the author travels a lot and has passed on his tips in these videos.

January 09 2012

Four short links: 9 January 2012

  1. Mr Daisey and the Apple Factor (This American Life) -- episode looking at the claims of human rights problems in Apple's Chinese factories.
  2. OpenPilot -- open source UAVs with cameras. Yes, a DIY spy drone on autopilot. (via Jim Stogdill)
  3. mbox -- more technical information than you ever thought you'd need, to be saved for the time when you have to parse mailbox files. It's a nightmare. (via Hacker News)
  4. Maui (Google Code) -- Maui automatically identifies main topics in text documents. Depending on the task, topics are tags, keywords, keyphrases, vocabulary terms, descriptors, index terms or titles of Wikipedia articles. GPLv3.

September 02 2011

Publishing News: Amazon and the sub-$300 tablet

Here's what caught my eye in publishing news this week.

Can Amazon's tablet crack the $300 barrier?

Editor's note: Shortly after we posted "Publishing News," TechCrunch published an exclusive about the Amazon tablet. The big news: it's called "Amazon Kindle," it's 7-inches wide, it's scheduled for release in late November, and — most notable — it will sell for $250.


amazon-logo-300.pngA couple interesting things happened on the ereader/tablet front this week. Sony announced its Sony Reader Wi-Fi, weighing in at a consumer-friendly $149. Forrester also released a report that explains "exactly how, and why, Amazon will disrupt the tablet market."

In a blog post, Forrester declares that "[if] Amazon launches a tablet at a sub-$300 price point — assuming it has enough supply to meet demand — we see Amazon selling 3-5 million tablets in Q4 alone." Perhaps spurred by HP's repeated "last runs" and $99 fire sale, "unnamed sources" at Amazon told the NY Post "[the] device will sell for hundreds less than the entry-point $499 iPad."

PC World notes: "[it] seems as if Amazon wants to sell more hardware first, and then hope to make up the difference in the sales of content later." It wouldn't be the first time Amazon bit the bullet to gain market share.

TOC Frankfurt 2011 — Being held on Tuesday, Oct. 11, 2011, TOC Frankfurt will feature a full day of cutting-edge keynotes and panel discussions by key figures in the worlds of publishing and technology.

Save 100€ off the regular admission price with code TOC2011OR

The "EMAIL" copyright turns 29

The copyright associated with "EMAIL" turned 29 this week (the copyright holder, V.A. Shiva, was 14 when he submitted the paperwork, which might explain the use of all caps.). As you might expect, Shiva takes issue with declarations and predictions about email's demise:

Shiva writes on his blog:

Ironically, even as Zuckerburg declares as some trade journals said, "EMAIL IS DEAD," he is launching @Facebook as a direct challenge to GMail. He says it will have EMAIL in it, along with other types of "messaging." Facebook produces billions of EMAIL messages everyday.

vashiva_infographic.jpg
A screenshot of the History of EMAIL infographic created by V.A. Shiva.

Even with IM and texting on the rise, email won't be delegated to a retirement home anytime soon. We are, after all, in the Information Age and the Age of Social Media — and so far, email has been the tie that binds it all together.

Stephen King turns to Klout for pre-release marketing

Mile81Cover2.JPGIn the wake of an author going apoplectic about a few books slipping out ahead of the scheduled release date, it's refreshing to see another big-name author purposefully using a similar technique as a marketing ploy. Stephen King's book "Mile 81" was published this week, but readers didn't necessarily have to wait for the official pub date to get their digital hands on the thing. King released early copies of the digital-only book to a few lucky people deemed influential (social-media-wise) by Klout.

King is no stranger to experimentation, but this latest promotion may have left something on the table. The early release copies, for instance, were made available just a few days before the actual release date. That's not all that impressive when compared to something like Pottermore, which is granting two months' worth of advanced access to early members. That said, "Mile 81" is a step in the right direction, and it'll be something to watch if King embraces a similar marketing strategy for his next full-price bestseller.

Related:

June 16 2011

Strata Week: The effort to digitize Palin's email archive

Here are a few of the data stories that caught my attention this week:

Sarah Palin's Inbox

Last Friday, in response to a years-old public records request, the state of Alaska finally released some 24,000 pages of emails sent by former governor Sarah Palin. And "pages" really is the operative word here. Palin's emails were all printed out — about 250 pounds of paper all told — at a printing cost of $725 per set. At least initially, the documents were only available to those who picked them up in Juneau — or to those willing to pay the high cost of having the six boxes mailed elsewhere.

Various organizations worked quickly to digitize the documents, but the task was so daunting that there were calls from many news agencies, including The New York Times to crowdsource the review of the emails.

The Sunlight Foundation, an open government advocacy group, unveiled Sarah's Inbox this week, a site that makes it easier for people to search and examine Palin's emails.

The project echoes a similar one undertaken by the Sunlight Foundation last year when the group made a searchable interface for then Supreme Court nominee Elena Kagan's emails.

Sample email from Sarah's Inbox project
One of Sarah Palin's many email messages archived at Sarah's Inbox.

As the Sunlight Foundation notes:

Like Elena's Inbox, Sarah's Inbox faced staggering issues of data quality because government officials continue to release digital files as hideous printouts requiring a laborious and error-ridden optical character recognition (OCR) pass over. You will notice that many of the emails are garbled, incomplete or contain odd characters — please keep in mind that we did the best with what we had and are not responsible for the content. Due to the programmatic nature of the tools used to build this site, we recommend checking any research effort against the source files.

Legal limits on location data

Roughly two months after the iOS location story broke here on Radar, the U.S. legislature has taken steps to limit how both the government and private companies can use location data.

Two bills were introduced this week — one in the House and one in the Senate. The latter was proposed by Senators Al Franken and Richard Blumenthal and would require companies to obtain users' consent before sharing information about the location of a mobile device. The other bill, proposed by Representative Jason Chaffetz and Senator Ron Wyden, would require law enforcement agencies to obtain a warrant in order to track someone's location via their mobile phone.

The proposals are part of a larger effort to update digital privacy laws, as legislators seem to grow increasingly concerned about consumer protections and data security.

Strata Conference New York 2011, being held Sept. 22-23, covers the latest and best tools and technologies for data science -- from gathering, cleaning, analyzing, and storing data to communicating data intelligence effectively.

Save 20% on registration with the code STN11RAD

LexisNexis open sources its Hadoop alternative

LexisNexisResearch company LexisNexis announced this week that it will open source its big data processing tools. LexisNexis is positioning its High Performance Computing Cluster (HPCC) Systems as an alternative to Hadoop, boasting that it can "process, analyze, and find links and associations in high volumes of complex data significantly faster and more accurately than current technology systems."

LexisNexis has a long history of working with big datasets and it began developing HPCC Systems internally in its Risk Solutions unit a decade ago. Risk Solutions CEO James Peck says the company has opted to open source HPCC in order to leverage the "innovation of the open source community to further the development of the platform for the benefit of our customers and the community."

HPCC Systems is comprised of a data-centric programming language and two processing platforms: the Thor Data Refinery Cluster and the Roxie Rapid Data Delivery Cluster.

We've been watching the Hadoop competition heat up over the last few months, and the entry by LexisNexis makes the development of big data technologies and the big data market even more interesting.

Got data news?

Feel free to email me.



Related:


May 03 2011

Anatomy of a phish

The inevitable consequence of Sony's massive security screwup is that I've drowning in phish: fraudulent emails purporting to be some vendor or other, saying that my account has been deactivated and asking me to "confirm" credit card numbers and other personal data. The personal information of nearly 100 million Sony users was accessed (75 million announced last week, another 23 million this week). Given all the fraudulent credit card activity that must be generating, it's a great time to go out collecting even more credit card numbers by sending fake email telling people their accounts have been suspended for suspicious activity.

So it's time for a really brief review of online safety, at least with respect to phishy email:

  • Never trust any email communication asking for your credit card number. If a vendor does business with you, they know your credit card number already. If they need to "confirm" it, they can find some other way to contact you.
  • Never click on a link in an email message; you don't know where that's
    taking you. If you receive email from Amazon asking you for information, and you think it might be legitimate, type the URL into the browser yourself. Even if it's long.
  • Since phishes tell you your credit card account has been put on hold, you
    might as well check. Again, don't click on the link in the email; type
    it in yourself. If your account has actually been suspended, the vendor will
    make it easy for you to find out.
  • Do check your vendor's policy on their use of email. href="http://www.amazon.com/gp/help/customer/display.html?nodeId=15835501">Amazon's policy lists information they will not ask for (including
    credit card numbers), and states that they won't ask you to verify your
    account information by clicking on a link in an email,
    etc. Unfortunately, finding their policy page could be easier than it
    is. There are other sites like href="http://www.phishtank.com/">phishtank that purport to maintain
    a global database of phishing sites. Don't hesitate to use them.
  • To the extent that the vendor allows you to report phishing attempts,
    do so. I have not always found vendors to be proactive, and to be
    honest, it's so easy to set up a phishing site (you can find plenty
    of kits for doing so online), that it's really like playing
    Whac-A-Mole: shut one down and two more pop up. But hey, it makes you
    feel like you're accomplishing something. Amazon asks you to forward
    suspicious email to stop-spoofing@amazon.com, and responds with an email message giving advice similar to what I've outlined above.

The Amazon phish I received this morning was extremely simple and easy to detect. There were two giveaways:

First, if you save the HTML that came with the email, and look at it with a real text editor like Emacs or Vim, you'll notice that the URL for the Amazon logo is http://blogs.suntimes.com/ebert/amazon-logo.jpg. The sender is picking the logo up from the Chicago Sun-Times, not from Amazon's corporate servers. To be clear, there's no reason a phishing site can't pick up design elements from the sites they're impersonating. This attack was particularly clueless.

Phish example with suspect image source

Second, the real giveaway is the included form. The URL for form submission is http://140.120.97.39/marl2.php. No hint of Amazon there. If you should click on that "submit" button, where is it going? I don't know, and neither do you. A traceroute to that address showed it disappearing somewhere in Taiwan before losing track.

Phish example with suspicious form submission url

That gives you an idea how the phish works: victims fill in a form and click a "submit" button, and it's all over. If you look, you can find sites selling stolen credit card numbers. That's where these will end up.

This phish was particularly clumsy. I've seen sites that included non-printing characters in the URL so that it looked correct when it was in the browser's URL bar. It might even look correct when you're inspecting the HTML, if you use an editor that's easily tricked. (That's why I recommend Emacs or Vim.) I've seen phishes that substituted 0 for O, or used other character substitutions, to create URLs that look legitimate but aren't.

However, though you may have fun looking at the actual phish and figuring out what's wrong with it, don't go the other way: Never decide that a suspicious message looks legitimate and act on it. It isn't. If your vendor doesn't have a statement about what they will and won't do when contacting you via email, assume they follow Amazon's policy. And if they don't — if they really do ask you for your credit card number via an email message — let them suspend your account. You shouldn't be doing business with them anyway.

In a phone conversation about a year ago, security researcher Jeff Jonas told me that the future of phishing was very scary: phishing mails would come with enough personal information (knowledge of products you've bought, people you know) that it would be almost impossible for a victim to detect fraud. The extent of the Sony data breach is so massive that we may be about to fall off that cliff. I don't know if we're headed there yet, but it's clear: Sony has handed Internet criminals a tremendous gift. They're going to use it. There's going to be a lot of identity theft and other forms of fraud, and there will be phishers seeking to take further advantage of that situation.



Related:


April 12 2011

Four short links: 12 April 2011

  1. The Email Game -- game mechanics to get you answering email more efficiently. Can't wait to hear that conversation with corporate IT. "You want us to install what on the Exchange server?" (via Demo Day Wrapup)
  2. Stratified B-trees and versioning dictionaries -- A classic versioned data structure in storage and computer science is the copy-on-write (CoW) B-tree -- it underlies many of today's file systems and databases, including WAFL, ZFS, Btrfs and more. Unfortunately, it doesn't inherit the B-tree's optimality properties; it has poor space utilization, cannot offer fast updates, and relies on random IO to scale. Yet, nothing better has been developed since. We describe the `stratified B-tree', which beats all known semi-external memory versioned B-trees, including the CoW B-tree. In particular, it is the first versioned dictionary to achieve optimal tradeoffs between space, query and update performance. (via Bob Ippolito)
  3. DisplayCabinet (Ben Bashford) -- We embedded a group of inanimate ornamental objects with RFID tags. Totems or avatars that represent either people, products or services. We also added RFID tags to a set of house keys and a wallet. Functional things that you carry with you. This group of objects combine with a set of shelves containing a hidden projector and RFID reader to become DisplayCabinet. (via Chris Heathcote)
  4. shairport -- Aussie pulled the encryption keys from an Airport Express device, so now you can have software pretend to be an Airport Express.

January 14 2011

Open question: What's the point of inbox zero?

Open QuestionI have 10,021 unread messages in my inbox. Ignored newsletters and various bits of nearly-useless information make up most of that unread count (I think). That's why 10k+ unaddressed messages don't concern me.

But is my ease misplaced? There seems to be an awful lot of people -- or a few vocal people, I can't tell which -- that pursue "inbox zero" with evangelistic zeal.

To be clear, I don't fault anyone who pursues the tidiness of an empty inbox. If that's what you want to do, so be it. Rather, I just don't understand the motivations and intentions behind inbox zero (nor do I understand why so many feel it necessary to publicize their inbox successes and failures through Twitter ... but that's another matter).

So, because I find the whole "inbox zero" thing curious, I figured I'd toss out a few open questions:

  • Do you try to get your inbox down to zero unread messages? If so, why?
  • Is inbox zero something you try to achieve every day? Every month? Every quarter?
  • What does inbox zero represent to you? Does it have deeper meaning?
  • Does inbox zero lead to better overall organization?

Please share your thoughts in the comments area.


Related:


December 19 2010

Strata gems: What your inbox knows

We're publishing a new Strata Gem each day all the way through to December 24. Yesterday's Gem: A sense of self.

Strata 2011 One of our themes at Strata is data in the dirt: mining the data exhaust from our lives to find meaning and value. In every organization, the trails left by email offer one of those repositories of hidden meaning.

Trampoline Systems's SONAR CRM takes an innovative approach to customer relationship management by mining the social networks created with and between companies. Through its integration with email logs, existing CRM systems and social networks, SONAR expands the scope of traditional CRM to give a fuller view of an company's relationships.

There is often more truth to be found in mining implicit data trails than by relying on explicitly logged information. Trampoline estimate that only 25% of actual contacts are recorded in CRM systems. By analyzing email flows, their system lets organizations understand who is talking to whom.

At O'Reilly, we specialize in connecting people across and within technical community "tribes". We've been experimenting with SONAR for some months. In my experience, it certainly contains the same knowledge about our contacts that I would otherwise have to obtain by asking around.

Email contact visualization
A SONAR visualization of some of O'Reilly's internal relationships

The more information you feed a system such as SONAR, the better results you can get. For instance, not all prodigious communicators are at the same level of influence: customer service personnel talk to as many people as business development, for instance, but the relationships they develop are of a more fleeting nature.

  • For a personal view on email analytics, Xobni offer an Outlook plugin that augments your email with information from social networks and analytical capabilities.

September 29 2010

Four short links: 29 September 2010

  1. Digital Mirror Demo (video) -- demo of the Digital Mirror tool that analyses relationships. Some very cute visualizations of social proximity and presentation of the things you can learn from email, calendar, etc. (via kgreene on Twitter)
  2. Free Machine Learning Books -- list of free online books from MetaOptimize readers. (via newsycombinator on Twitter)
  3. Chewie Stats -- sweet chart of blog traffic after something went memetic. Interesting for the different qualities of traffic from each site: As one might expect, Reddit users go straight for the punchline and bail immediately. One might assume the the same behavior from Facebook users, but no, among the visitors that hang around, they rank third! Likewise I would have expected MetaFilter readers to hang around and Boing Boing users to quickly move along; but in fact, the opposite is the case. (via chrissmessina on Twitter)
  4. The Document Foundation -- new home of OpenOffice, which has a name change to LibreOffice. I hope this is the start of a Mozilla-like rebirth, as does Matt Asay. (via migueldeicaza on Twitter)

September 16 2010

Strata Week: The challenge of real-time analytics

The call for proposals for O'Reilly Strata ends on Sept. 28. We're keen to hear your stories about the business and practice of data, analytics and visualization. Submit a proposal now.

When MapReduce is too slow

This week the Register reported on Google's move away from a MapReduce architecture for compiling their search index. Pioneered by Google, MapReduce is a way to distribute calculations among many processors. MapReduce led the field in big data analytics frameworks, and is now popularly used in the form of the open-source Hadoop project, spearheaded by Yahoo!

Does Google think MapReduce is dead? Not quite. The problem is that MapReduce is a batch processing architecture. Google was recomputing their entire search index and replacing it wholesale every few hours. By contrast, content is being updated on the web in real-time. With a MapReduce-centric architecture, Google could never be truly up-to-date.

Caffeine, Google's new indexing system, supports incremental indexing and avoids the refresh rate problem of MapReduce. Carrie Grimes of Google explained the benefits, writing in a Google blog post:

With Caffeine, we analyze the web in small portions and update our search index on a continuous basis, globally. As we find new pages, or new information on existing pages, we can add these straight to the index.

Google isn't the only company that wants real-time big data processing. Facebook, deeply invested in Hadoop, are working to get their latencies down to matters of seconds rather than minutes. Real-time analytics is a priority for many of companies I've spoken to in researching the Strata program. Whether it's MapReduce-based or not, we will see the emergence of more real-time big data technologies over the next 12 months.

  • Want to get a taste of using MapReduce without deploying any infrastructure?
    Check out mincemeat.py, a simple self-contained Python MapReduce implementation.

Feeling blue

The folks at COLOURlovers noticed that a lot of people favored the color blue for their Twitter theme. Was this just because Twitter itself was blue, or does blue have a stronger hold on our preferences? To investigate, COLOURlovers decided to research the top 100 online brands.

Blue, the color of Twitter, Facebook, Paypal, and AT&T, does indeed dominate online brands. But it's not alone. There's a strong showing for red from companies such as CNN, ESPN, Comcast, CNET, BBC and YouTube. Red seems to be a strong indicator for media organizations.

Excerpt from COLOURlovers visualization.

Is there any hope for variety, or we doomed to a red-blue future? COLOURlovers suspect that once category leaders establish a certain color, newcomers are likely to repeat it.

Once a rocketship of a web startup takes flight, there are a number of Jr. Internet astronauts hoping to emulate their success ... and are inspired by their brands. And so blue and red will probably continue to dominate, but we can have hope for the GoWallas, DailyBooths and other more adventurous brands out there.


Personal email analytics

Email is one of the richest, most useful and most infuriating sources of data in our lives. For years we've been wanting tools to help make sense of the flow of people and information that it brings. In 1991, for example, Jaimie Zawinski created the Insidious Big Brother Database (BBDB), with the aim of making both email and people more manageable.

BBDB can automatically keep track of what other topics the sender has corresponded with you about; when you last read a message from the sender; what mailing lists their messages came through; and any other details or automatic annotations you care to add. It also does a good job of noting when someone's email address has changed.

More recently it seems that innovation has been slower to come to email clients. However, the opening up of GMail's API has brought some interesting new tools, based on machine learning and analytics.

For basic exploration of your email flows, try Graph Your Inbox. This is a Chrome browser extension that will chart queries over your GMail data, essentially a Google Trends for your email. Below is a graph comparing the volumes of email I sent and received.

Graph Your Inbox results for outbound vs incoming email

With tools such as Graph Your Inbox we can retrospectively mine our own email and discover the ebb and flow of people and projects in our lives. Can machine learning help us in a proactive way? Whether you are conscious of it or not, machine learning techniques help us daily in the fight against spam. But what about separating the signal from the noise among our non-spam communications?

Google recently introduced Priority Inbox, in an attempt to help users decide which emails are important. Small voting buttons and dividers in the interface enable you to train Priority Inbox. But some of this seems a bit redundant -- we already passively prioritize by how quickly we read and reply to messages from different people. Why can't the computer learn?

SaneBox is a web application that takes a more low-key approach. It will label mail according to whether it needs immediate attention, can be postponed for later, or whether it's a bulk mailing. I've been using it for some months, and it admittedly takes a little time to learn to trust. The results however are impressive. Simply removing non-urgent mail from view lowers stress levels considerably.

Send us news

Email us news, tips and interesting tidbits at strataweek@oreilly.com.


Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl