Stop & Shop Skimmers Stopped

According to the Associated Press today, "four California men were arrested in what police said was a scheme to switch checkout-lane credit card readers at Stop & Shop supermarkets as a way to steal customers' numbers and passwords." The men, whose ages ranged frm 20 to 28, reportedly were arrested last night while attempting to switch keypads at a store in Coventry, Rhode Island. They are charged with conspiracy, computer theft and fraud. They were scheduled to be arraigned this afternoon in Kent County District Court in Rhode Island.

Clueless and Defenseless?

Eurogamer just reported that a man in New Zealand has been arrested and charged with stealing an Xbox 360 during a burglary, after he called Microsoft "to register the machine and ask for a power cord to replace the one he forgot to steal."

Clueless or Defenseless?

In the wake of initial media coverage about this week's attacks on DNS root servers, a Sophos press release quoted Graham Cluley, senior technology consultant at Sophos, as commending "the resilience of the root servers" but pointing to "the lax attitude of some users towards IT security" as "the root of the problem." Cluley reportedly found it "ironic that the people who depend on the web may have been the ones whose computers were secretly trying to bring it down."
Cluley's comments, unfortunately, both understate and misstate the problem. If Vint Cerf's recent estimate -- that as many as 150 million of the 600 million computers on the Internet may be infected and pressed into service in botnets -- is correct, the problem is not "some users," but vast numbers of individual and corporate users. At the same time, it is important to keep in mind that "those who depend on the web" also depend on those who provide critical security software and services.
This week, Trend Micro issued an advisory about a serious security flaw in its antivirus scan engine that could be used to trigger a buffer overflow and allow an attacker to take control of the system. One could say it's ironic that a leading security vendor provided security-minded users with products that contained their own signficant vulnerability.
Certainly, the sort of vulnerability that Trend Micro announced is far from unique -- and that's precisely the point. End-users, from naive newbies to sophisticated programmers, should bear only a portion of the total responsibility for improving IT security worldwide. While we move, haltingly, toward a better allocation of responsibility among all participants in the online world (including infrastructure and content providers and IT security vendors) for maintaining IT security, placing the blame on just "some users" simply misdirects the discussion into unproductive debate.

Email Order Bride (and Groom)

BBC News recently published an intriguing article about the ways in which the Internet is helping the current generation of young Indian professionals to mediate between the deeply rooted tradition of arranged marriage and the modern desire for greater involvement in selecting one's own prospective mate. Young people can use a variety of Indian matrimonial sites to look for prospective mates from their communities, email each other to communicate more freely than in traditional face-to-face meetings that their parents arranged, and present parents with a selection whom they can still meet and approve.

But What Would Homer Simpson Say?

A number of media articles have reported on the efforts of a Dr. Robert Bohannon, a Durham, North Carolina entrepreneur, to develop and market a caffeinated doughnut. The Durham Herald-Sun reported that Bohannon, a technical consultant for diagnostic companies, came up with the idea six years ago. His initial experiment with purified caffeine literally left a bitter taste in his mouth, but Bohannon persevered. After working with a company to "microencapsulate" the caffeine (i.e., to produce micron-sized caffeine particles and put a coating on them), Bohannon finally produced caffeinated doughnuts and bagels containing caffeine particles with a vegetable oil-based coating that he says doesn't dissolve until it reaches your digestive tract. Bohannon, who has now filed for a patent, recently wrote letters to Starbucks, Krispy Kreme, and Dunkin' Donuts to drum up interest in his invention.
The issue is not whether an entrepreneur ought to pursue a dream. By all accounts, Dr. Bohannon has an intense personal attachment to caffeine: he reportedly drinks four to six cups of coffee a day, and even bought a coffeehouse in Durham. Nor is it whether government regulators ought to examine this product with suspicion, although the volume of caffeine Buhannon's product contains -- 75 milligrams to 100 milligrams, compared to 100 millligrams in an 8-ounce cup of coffee -- could make for some interesting family breakfasts if small children scarf down several Buzz Donuts (Bohannon's trademark for his product) before school.
The real issue is whether the humble doughnut needs to become yet another caffeinated product in our already overcaffeinated lives. Before any company chooses to adopt Dr. Bohannon's proposal, it should consider the likely reaction of the ultimate authority on doughnuts, Homer Simpson. Homer has not only an endless appetite for doughnuts -- having risked even his soul for a doughnut -- but also boundless faith in their virtues, once proclaiming, "Donuts. Is there anything they can't do?" Homer also prizes diversity in doughnut types: as he put it, "American donuts. Glazed, powdered and raspberry-filled. Now how's that for freedom of choice?"
And yet, Homer would undoubtedly frown on Bohannon's creation. Doughnuts, to Homer (and maybe many more), represent everything that caffeine does not: sloth, inertia, and fixation on the pleasures of the moment. Surely he would take a stand against adulterating one of life's minor guilty pleasures -- if only he thought it important enough to try.

CHIP + PIN + HACK = TETRIS

Two researchers at Cambridge University, Steven Murdoch and Saar Drimer, recently reported their success at hacking a chip-and-PIN terminal to make it play Tetris. As reported in The Register, "The proof-of-concept hack highlights wider security concerns about the terminals even though it was only possible after Murdoch and Drimer replaced most of the internal electronics after opening up the terminal." The researchers also did a short video that is now available (presumably to no one's surprise) on YouTube.

Shop Till Your Insula Drops

Today's Scientific American includes a summary of a fascinating study published in the January 4 issue of Neuron. As summarized in Neuron Online, a research team, led by neuroscientist Brian Knutson of Stanford University, "performed functional magnetic resonance imaging (MRI) "on individuals while the subjects were deciding whether or not to purchase various items. Their results . . . support the theory that the decision to purchase involves the integration of emotional signals related to the anticipation of both obtaining the desired product and suffering the financial loss of paying for it." Among other findings, the study noted that "the response of the insula (a lateral section of the brain's cortex known to activate during responses to negative stimuli) depended on the purchasing decision--activity there increased when a participant nixed a purchase."
(Note: A link to the Neuron article is available here.)

New U.K. Report on Mass-Marketed Scams

Today, the United Kingdom Office of Fair Trading (OFT) issued a study on the impact of mass-marketed scams (i.e., scams using direct mail, telemarketing, email, and the Internet) on U.K. consumers. Here are some of the OFT's more intriguing findings:
- An estimated £3.5 billion to scams each year, including estimated losses of £1.17 billion to holiday (vacation) club scams, £490 million to high-risk investment scams, £420 million to pyramid and get-rich-quick scams, and £260 million to foreign-lottery scams. The total equates to about £70 per year for every adult living in the United Kingdom.
- The mean amount lost per scam is £850, but the median is only £14. This means that the distribution of losses is highly skewed, as the mean is increased dramatically by “the relatively small number of persons who lost large amounts of money to scams.”
- Nearly half the U.K. adult population (about 23.5 million people) is likely to have been targeted by a scam, and 6.5 percent of the U.K. adult population fall victim to scams every year.

Q&A: E-Waste

Think that those old PCs you've been dropping off for "recycling" are really getting recycled properly?. Not necessarily. E-waste, as a recent BBC News report put it, "is thought to be the fastest growing part of municipal waste in the developed world."
The United Nations Environment Programme (UNEP) estimates that as much as 50 million tons of waste from discarded electronic goods is generated each year.
E-waste is particularly problematic for certain West African nations, such as Nigeria and the Cote d'Ivoire. The BBC recently described Nigeria as "increasingly the world's PC dumping ground." Although Nigeria reportedly has a thriving second-hand computer industry, one Nigerian industry representative estimated that up to 75 percent of the PCs exported to Nigeria are outdated and unusable. Jim Puckett of the Basel Action Network, a nongovernmental environmental organization, has stated that unscrupulous brokers and exporters take machines that their former owners intended to be recycled, but do not recycle and instead commingle working and nonworking machines that are exported.
Is there recycling once the unusable computers reach nations like Nigeria? Yes, but not in the way you'd imagine or want. For example, around Lagos, which has no regular computer recycling facilities, e-waste computers reportedly "build up in huge piles" at dumps around the city. Children scavenge these dumps for the waste computers' contents, from which they can earn about US$2 per day, but also expose themselves to serious health risks in the process. Hazardous waste products in the computers include lead, arsenic, and mercury, as well as heavy metals such as nickel, cadmium, and chromium which leach into the soil and end up in plants and in people who consume vegetables.
Are there measures for international cooperation to combat e-waste? Since 1989, the Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and Their Disposal (Convention) has offered a basic legal regime for international action. While other G8 members have ratified or approved the Convention, the United States has not yet done so. The State Department's explanation of the U.S. position is that "before the United States can ratify the Convention, there is a need for additional legislation to provide the necessary statutory authority to implement its requirements." (As a point of reference, the U.S. Senate gave its advice and consent to ratification in 1992.) In the meantime, the State Department also notes that, "with respect to classifying used and scrap electronics, the current Basel system for controlling international shipments of hazardous waste makes trade in many of these materials difficult, and in some cases impossible. The U.S. supports consideration of alternative systems of control for 'e-waste' under the Convention."
Is there consensus about what those alternative systems should be? Not yet. The electronics industry and government officials are far from unanimous on what to do about e-waste. Proposals range from making manufacturers take back used electronics to imposing recycling fees on consumers and establishing cost-sharing arrangements between manufacturers, retailers, and consumers. Earlier this month, the Convention member governments issued an "urgent call for action" on e-waste, with priorities on "launching pilot projects to establish take-back systems for used electronic products, strengthening global collaboration on fighting illegal traffickers and promoting best practices through new technical guidelines."
What can individual consumers do in the meantime? Among other things, whenever you plan to recycle a computer or peripheral, start by asking the manufacturer if it has a recycling program, and ask for details that provide some assurance that they do what they say they'll do. Also, ask organizations like the Sierra Club or the Environmental Defense Fund for recommendations on reliable recycling companies or groups.
In some ways, the problem of e-waste is like the problem of conflict diamonds. No one person or company in the distribution chain is solely responsible for the problem, and most people would agree that the commodity is undesirable, yet under current legal regimes even a comparatively small number of unscrupulous enterprises can profit from its sale at the expense of innocent people. Perhaps, like conflict diamonds, e-waste needs its own "Kimberley Process," in which companies certify that they will recycle the electronics that they receive and will not ship them elsewhere for profit. Such a process could create incentives for reducing e-waste and provide a basis for concerted action by industry and governments in reducing the international spread of e-waste.

Cooper v. Universal Music Australia - Full Text

For those interested in yesterday's ruling by the Australian Federal Court in Cooper v. Universal Music Australia -- which found the operator of mp3s4free.net and an ISP guilty of authorizing copyright infringement, by providing a search engine that enabled Internet users to illegally download MP3 files -- the Sydney Morning Herald provides what more online news reports on significant judicial decisions should include: a link to the full text of the decision.

Say Nyet to Time Webstore

Australian authorities have expressed concern that a website purporting to offer iPods and plasma TVs at below-market prices may be fraudulent. The website, www.timewebstore.com, lists physical and P.O. Box addresses in Darwin in the Northern Territory. As The Sydney Morning Herald first reported, however, the timewebstore.com domain is registered to a Vladimir Hotovksy in Moscow.
Other facts in the Herald article strongly suggest the fraudulent nature of the site: customers have complained that they did not receive the goods they ordered; the street in Darwin where the Time Webstore's head office is supposedly located does not exist; and the bank account used to pay for a $17,000 newspaper ad directing people to the website was false. Also, for what it's worth, the administrative and technical contact for the company hosting timewebstore.com's servers, hqhost.net, is a Sergey Sabatyev in New York City, and hqhost.net has numerous links to Russian websites, including porn sites.
As of this writing, www.timewebstore.com is still up and running.

New Recipe for E-Commerce Down Under: Kiwis?

A new Nielsen Media Panorama report states that more than 1.25 million New Zealanders have shopped online in 2006 -- an increase of more than 400 percent since 2001. What e-commerce sites should find even more interesting is that more than 400,000 Kiwis had made at least six online purchases in 2006 - a 700 percent increase since 2001.

Unauthorized Hacking - NZ$7500. Chutzpah - Priceless.

Not many reports about cybercrime issues are likely to induce a triple-take, but yesterday's New Zealand Herald included a report that could do just that. According to the article, one Gerry Macridis, described as a "security consultant," admitted that he had accessed the New Zealand Reserve Bank's computer-controlled telephone system without authorization. Macridis is now threatening the Reserve Bank with legal action if he is not paid NZ$7,500 for the information he gave the Bank about security flaws in the phone system.
The fact that Macridis lacked authorization to access the system is apparently both insignificant and irrelevant, as he claims the Bank then used his information to fix the security flaws he found. Macridis reportedly had taken the trouble to send the Bank a report that detailed the security flaws (although the Bank did not request it), and had called the Bank asking for payment for his unsought advice.
Now for the triple-take: Because of his unauthorized access to the Bank's system, Macridis was prosecuted in Wellington District Court, and pleaded guilty to the unauthorized access. Yet the judge -- after hearing from Macridis that "the bank's phone system was the worst he had seen in 11 years as a consultant and was vulnerable to tapping from overseas" -- discharged Macridis from conviction. The judge reportedly stated that Macridis "had acted honourably and a conviction would be disproportionate to the crime."
This ruling does not bode well for law enforcement or IT security departments in New Zealand. Under this court's apparent reasoning, any self-described "security consultant" can hack a computer system, and present the system owner with information on the vulnerability along with a bill for unrequested "services" (at least, as long as he is careful not to threaten harm to the system if he is not paid). One can only hope that Kiwi courts will give any legal action by Macridis short shrift, and perhaps recognize, as future Macridises less come along, that unauthorized access to computers -- far from being "honourable" behavior -- is criminal conduct that deserves to be recognized as such.