Law and legislation

Iraq cybersquatting Israel gov’t domains

A few years ago, the personal blog of the Iran president Ahmadinejad included a special piece of malware code that would only be displayed for Israeli IP addresses, attempting to infect Israeli machines visiting the site while preserving a seemingly harmless appearance for any western visitor that is not an Israeli. I thought that was quite a clever attack at the time.
But now the Iraqis are flexing their cyber-muscles too. According to a Hebrew article in (this is not yet available on their English site, but may be soon), several domain names of Israeli government entities and large Israeli institutions have been registered by users outside Israel, some users having addresses in Iraq.

These domains use names with Hebrew characters, which are now available under the IDN. However, the method of typing Hebrew domain names is not in wide use and companies still prefer the English domains with the .il or .com suffix, which is why those Hebrew domains were available for purchase. Some of the domain names that were purchased include the Mossad, the Shabak (the “Shin Bet”), the IDF, Israel Police, Knesset, and several major banks.

Since the domain name is in Hebrew and contains the full name of the company or institution, it is incredibly useful for phishing attacks. traced many of the domain names, particularly those of major ministries and public service names to a company called “ICU Agency” with a registered address in Baghdad. I’m sure there are other clever uses for such domains in war time that exceed simple phishing. With the speed in which news travel on the Internet these days, it shouldn’t be difficult to do some psychological warefare if you own “credible” domain names.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Liability for “cavalier disregard”

OK, this has got nothing to do with computers (except that the SkyTrain is completely automated).

For the past three years, Cambie Street, a major thoroughfare with at least four different shopping and business areas on it, has been almost completely shut down for the construction of the RAV (Richmond-Airport-Vancouver) SkyTrain line (aka Canada Line).  (Since it is located almost dead centre in Vancouver, the city has been pretty much bisected for that time, and the traffic hassles have been enormous.)  Originally the line was supposed to be a tunnel, but that was going to take too long and cost too much, so they dug up the entire street.  For three years.

Most of the businesses along Cambie have gone bankrupt in that time: others have moved.

Now a lawsuit for damages has been won by a business owner.

This will, of course be a precedent, and will undoubtedly lead to more judgements (I think other cases are already before the courts) and more lawsuits.

I’ve got to admit to an uncharitable glee over this turn of events.  The RAV line was not prompted, but the decision to actually build it was undoubtedly influenced, by the 2010 Olympics.  The provincial government has been absolutely gaga over having the games here, and has launched a number of “vanity” projects and other measures.  (Latest on the list: for the games, security personnel won’t have to undergo the minimal training and licencing that already exists.  They can get a special certificate which seems to merely verify that they are breathing.)

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Take it underground

This post was written because a very good friend of mine asked me to send them a mail about decent reasoning to use Tor, and explore the Onion net, so thank you (you know who you are), and this post will be followed by another more detailed post on the Onion net soon.

Okay, so with all that’s been going on in the world lately, I’m starting to think that we should really start moving things underground, by underground, I mean that we should start encrypting our traffic more, and making use of the means that we have available to us, and helping to support them more as a security community.

The things in the world that I’m referring to are not only UK based either, here are a few examples:

Pirate Bay – Guilty Verdict

Mobile Phone Tracking


Directive 2006/24/EC Of The European Parliament And Of The Council

It seems that we are seeing more and more of the worlds governments moving towards an Orwellian culture, and I for one really don’t feel comfortable operating in this way.

You may be asking yourselves at this point, what can we do to stop this, the honest answer is, really not that much right now.
We can however start to move our information systems somewhere else, somewhere more secure, and we can all help others to secure their online habits by setting up Tor relays.

The more relays the Tor network gets, the better it is for everyone involved, if you can’t configure a relay, or just don’t want to, then if at all possible, please dontate to the Tor project here.

So please people, if you value your privacy at all, please help the Tor project out in any way that you can, even if it’s translating articles.

Below are a few links that you may find useful:

Tor Overview



This may seem like a shameless Tor plug, but I can assure you that it’s not, and I am in now way related to the Tor project at this point in time, but I really feel that it’s an extremely worthwhile project, and I plan on getting a lot more involved. This project has come a long way in the 2 years that I’ve been using it, and the more users we get contributing the better the anonymity and speed gets.

Keep it safe and private people.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Carder spam or not?

I received this email today:

Good morning!

I inform you about site where people trade in stolen credit cards. As i’m a holder of visa classic i’m sincerely
exasperated at appearing such sites in your hosting. I beg of you to take strong measures and don’t be indifferent to heart-break of other people. This complaint will be sent to the FBI.

Best regrads, Jon Shirov.

At first I was shocked, why would someone allow such a site to still be up even though someone reported it to the FBI. I had to do something.

Rushing to the rescue I looked at the site and it appears to be a pretty straight forward scam-sell site, you come there and buy stolen goods.

Why have I been notified only now I wondered… I looked back in my spam log and what do you know the same email appears more than once in my spam folder with different names, dates and of course email addresses 🙂

I am not sure what the scam/spam’s purpose is, apparently they want you to go to their site and see what they have to offer – you might be a potential customer to their operation.

I of course didn’t dig in to the site, nor am I interested in buying anything found there – on the other hand I will also not report this to the FBI as the site is not hosted inside the United States (It is hosted in Russia), nor is its domain under a US registrar (ends with a SU).

Whoever knows of a place to report such sites to please let me (us) know.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

CSIS Commission on Cybersecurity for the 44 Presidency

The US Center for Strategic and International Studies (CSIS) is a bipartisan, nonprofit organization headquartered in Washington, D.C.  A commission on cybersecurity was formed in 2007 in order to prepare a set of recommendations for the incoming US President.  Unfortunately, the report is rather generic and banal, boiling down to a statement that US cybersecurity is weak, and that the US should be doing pretty much the usual, only better.  This report has been promoted on a number of security mailing lists as an important set of recommendations.  It probably is important to read, if only to get a view of the fairly limited position which may be driving US public policy in the near term.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

10 days later: The Israeli anti-spam law seems to work

Driving around Sao Paulo you don’t notice it. But when you drive back to the airport it suddenly hits you: billboard advertisements. They suddenly stick out, and you realize through all this time in the city there wasn’t a single billboard advertisement. Unsurprisingly, it’s too easy to get used to the lack of the big-city marketing assault on your senses that you usually see elsewhere. Sao Paulo may be polluted and congested, but when it comes to billboard advertisements there’s just none of it.

Spam is like that. You don’t miss it when it’s gone – you just get more attentive for spam that does get through.

A few months ago, Israel passed a law that might be the first of its kind(*): with very few exceptions, spam is now illegal in Israel. If you receive an email that you didn’t specifically opt-in for, and that email wants to sell you something, and either the entity who sent the email is Israeli or the company that benefits from the email is Israeli, you can sue in court and get the equivalent of $250 for every email you received(!) without any need to prove direct or indirect damages(!!). The law is phrased carefully to close all the obvious loopholes: Israeli companies are liable even if they were using off-shore machines to send the spam, and if you sue them, it’s them that have to prove that the email recepient voluntarily opted to receive those emails. Not only that, but you can’t use an opt-in consent to advertise someone else’s product (hence, list renting won’t work).

For me, seeing this type of law actually working is nothing short of incredible. My inbox was routinely filled with Hebrew emails from some of the largest consumer brands in Israel, who figured it’s cheaper to pay fractions of a cent per email to tell me about attractive deals for mineral water dispensers than take out a TV spot. Having qmail as my mail server allows me to make up emails addresses on-the-fly so I can easily track where a certain advertiser got my email: I signed up for the Jerusalem post alerts and got ads from a bunch of other advertisers. I opened an account in a now-defunct web 1.0 service and my email address for that service was sold on to about a hundred different small-time spammers. I signed up for the Israeli version of ‘classmates’ and in return got bombarded by offers to by TVs at a discount. Oh, and of course the typical spammers who just guessed my email address and are sending me updates about discounted airline tickets to Africa. The typical viagra-style emails arrive in quantities as well, but those are easily filtered out. Hebrew spam is a bit more difficult to filter because some of the legitimate email I get is Hebrew newsletters that I did actually sign up for.

So to think that from December 1, 2008, when the spam law becomes active, I will cut down on my delete-key presses was beyond what I could imagine.

The month of November was as you might expect:unbelievable quantities of emails asking me to opt-in to lists I never heard of. Each trying to convince me of the huge benefits of receiving unsolicited advertisements that might change my life. Some of these emails were angry: spammers don’t like it when their work is interfered, and a group claiming to represent the small businesses who ‘have no other choice than to send spam’ tried to tell me why the law is an immediate threat to small businesses. And when I say ‘tried to tell me’ I mean sent me a few dozen emails a day almost every day that month. Well, I stand unconvinced.

December 1st came, and the flood slowed down. Still the occasional email, usually treading on the border between legal and illegal – like emails that contained a request to opt-into the newsletter (this is allowed by the new law – once only) with a small commercial pitch towards the end. The notorious ‘people and computers’, a hitech magazine and an Israeli representatives of ‘information week’ sent me daily reminders that I have not yet opted in and ‘soon’ will stop receiving their daily newsletter if I don’t fix my ways. I would have sued, but the general manager of P&C met Bill Gates once and told him: “can I please have your card?” and when gates gave him his business card he replied with “No, your credit card”. You’ve got to hand it to him: he may be a bit of a jerk, but he is funny.

A couple of newsletters keep coming regularly, beginning the email with a long disclaimer that they are not an advertisement (the content is again borderline, I imagine at some point someone will challenge them in court) and there was the one spam email that arrived last week which I am taking to small claims court to get my $250 charity money.

But other than those – barely a handful, really – a peaceful silence. I can really get used to not getting Hebrew spam. Now if only we can get Russia to follow suit!

By the way: for those wondering where the ‘catch’ is in the spam law – or as the cynics would put it: how is it possible that politicians create an actually useful law – here’s a solution to the paradox. Being the parliamentarian state that Israel is, the law specifically allows political spam to be sent. So not to worry: the politicians excluded themselves nicely. Still, it’s a small price to pay for a relatively clean inbox.

Lets see how long this serenity will last – email is still a very tempting advertising channel. But when the potential cost is $250 per email, suddenly the ROI is not as not as attractive.

(*) I’m not aware of an opt-in spam law that allows anyone to sue the body who benefits from the spam without proof of damage. Please enlighten me if I’m wrong.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Engineering Elections

Engineering Elections

Did you vote in the last election? If not, you should have. If so, did it really count? I mean, literally, besides the aspect of consideration, did your ballot reach the total counter?

Many people who are part of a democracy and have this magical ‘right to vote’ (There is no amendment or part of the US constitution that directly states that Americans have the right to vote; only that you cannot be discriminated against via race or sex, and you must be at least 18 years of age. Look it up and you’ll see that it is only indirectly implied) probably question where their votes really go each and every time they leave the polls.

Furthermore, the most important question should be this: If election fraud is part of our elections, and we all know at least some part of it is, how can we prevent it? The simple answer is, we can’t. Electronic voting machines are a joke. Really, the security on these machines are inferior to the most common lock and key at the dollar store. Security on these ‘secure’ election devices is comparable a Windows 98 (SE!) box running ZoneAlarm (pro!).

Wouldn’t it be nice and convenient to be able to vote via the Internet, without ever having to leave your home? Sure it would be. Safe though? Not in this century. If you have Netflix or any other movie service, you should add this to your queue: Hacking Democracy. Watch it, learn it, believe it. Do not hesitate at all to think its real. ITS BEEN PROVEN! Not a believer? Just wait around our next big election — we’ll see who wins.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.