March 27, 2005

A penny here...

The shocking truth - spam works!! - is revealed in a breathtaking survey by the Radicati group. Jokes about lack of economic nounce aside, the numbers in there are quite interesting: 10% of respondents have purchased products advertised in spam.

In contrast to that, a well written case study that discusses how a seemingly innocent blunder cost a legal practice $100k in down time. It is issues like these that make the risks approach to security all the more incisive.

More shocking truths - Microsoft pays for independent reports that slam their opposition's security. The only reason I bring this obviosity up is because it's going to be happening to a browser near you, in the second half of this year.

Russian payments company WebMoney has been hit for frauds of $1.5m. It looks like that got the (a) guy, but not clear on whether the funds are lost or not.

Good blog post that simply lists the 5 Choicepoint shareholder lawsuits.

FUDWatchers Freedom is Slavery and Stupid Security spot another case where Sandia Labs looks to do more damage to society than any terrorist ever dreamed of. It's thinking like this that leads to graver vulnerabilities, under the facade of yet more security solutions that earn big bucks but don't work. No thanks.

Phishing gets some respect from the academic world at a workshop in Rutgers University, New Jersey, USA. 14-15 April.

In closing, a few notes on FC admin. I have adopted Adam's lead and created a Pennies category for little snippets that come my way. Pennies are just my way of clearing down the desktop, sorry about that.

Also, some of them may not be mailed out, this is generally something that I do if they are readable, but once the links get deeply embedded for website clicking on the blog, they become unreadable.

Another point: the mail list is manual. If you want off, or on, or any points in between, just reply and I shall obey. Privacy notice: I don't have time to collect or datamine your identity.

Posted by iang at March 27, 2005 12:51 AM | TrackBack

Concerning the WebMoney theft. Surprisingly, WebMoney's website says nothing about it. They seem to be triing to cover it up. I haven't even found a single article on their discussion forums, although sometimes there are very interesting security issues discussed.
The Russian-language comment to the linked article, which is a verbatim copy of a Kommersant article (Kommersant is a popular business journal in the Russian-speaking world) is very informative though. Here's a short summary in English:

A 22 years old college student, Constantin Lykov (majoring in math) was working part-time in the print shop that prints the scratch-cards for webmoney (one way to convert cash to webmoney is through buying scratch-cards with secret codes that one can enter into the wallet). He somehow got hold of the files containing the secret codes and was stupid enough to print them out -- these printouts were used as evidence against him.

He stole approx. $1.5 million worth of codes, but was actually able to take posession of less than $1000 by the time he was arrested. He bought expensive cellphones in order to sell them on for cash, purchased a notebook computer (apparently a used one) and lost a minor sum gambling in an on-line casino.

The article goes on to saying that the people who eventually purchased the cards with the compromised codes haven't even noticed the theft, as webmoney decided to re-validate the codes.

I guess, this is why they went to unusual lengths to cover up the incident (usually, they are quite open about security issues): they don't want to undermine the trust in the scratch-cards.

Otherwise, I must say that WebMoney is the best digital cash provider, as far as cryptography and business model goes. While right now they are mostly catering to the Russian-speaking world (which includes the immigrant communities of North America and Western Europe, and the entirety of the former USSR), their service is scalable and very well-designed.

My only problems with them are a 0.8% per-transaction charge and the fact that they are often using home-grown crypto instead of established open standards even when such standards do exist. For example, they have their own secure messaging system instead of using any kind of secure email.

It is based on dispensable anonymous accounts where one can deposit using the public key and withdraw using the private key. They also have a nice eschrow mechanism.

Posted by: Daniel A. Nagy at March 28, 2005 02:16 PM

For example, they encode RSA-keys and hashes in decimal.

Posted by: Daniel A. Nagy at March 28, 2005 02:22 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.