Malware Part 2: Is the Internet Becoming Too Dangerous?

A few dismal statistics on the prevalence of dangerous email, from a post here in a security blog SearchSecurity, quoting a study by MessageLabs, a security software firm:

• Based on their samples, MessageLabs believes that 90% of all emails globally are spam;
• 1 in 200 emails contain a phishing attack;
• 68% of all malicious emails they intercepted were phishing attacks.

As a personal note, I think they’re understating the proportion of spam — my own sample here at the office is that only 3% of our incoming email traffic was valid email, based on a study I did in mid-October.

So as usual, the bad guys are keeping one step ahead by devising new forms of attack when the old ones become less effective; nothing new there, online or offline. But phishing attacks are particularly worrysome because they aren’t as readily filtered out as other forms of spam that are just selling some kind of hokum. Phishing attacks work by getting the victim to disgorge their account numbers and passwords, which are then used to vacuum out bank accounts, open illegitimate credit cards, and all the rest of it.

A good proportion of the rest of all this spam is devoted to getting the victim to allow the spammer to download to the victim’s machine some hostile software, including keystroke loggers and the control software that will turn the victim’s machine into a spam-relaying robot.

And all it takes is one mistake, one visit to an apparently innocent but actually hostile website, and you’re nailed, and if the infection is a rootkit it’s likely that you won’t be able to either find it or fix it without a complete software rebuild on the machine.

Here is an excellent non-technical overview of one of the world’s largest phishing organizations, from the Seattle Times. It’s more than scary.

Now I’m not an alarmist, but at what point does the Internet become just too dangerous to be worth the trouble? Back about 15 years ago I used to go out to some of the Compuserve newsgroups pretty regularly for technical subjects, but gradually they became so filled up with spam messages that perhaps one in 50 was a valid message, the rest were all machine-generated junk. At that point, I just quit going there. At what point will the broader public come to the same conclusion, and become afraid to use the Internet?

The Truth About Hybrid Cars, Part the Third

Be sure to see my earlier posts on this subject, in the category “hybrid cars.”

Within many segments of the US business community there is a strong undercurrent of distrust of anything smacking of a coherent national energy policy, even as we are increasingly threatened by all manner of energy-related problems in everything from hydrocarbons to electric generation and transmission infrastructure. As many of these people continue to raise the cry, “socialized medicine!” as a bogeyman to prevent children being covered by medical insurance, they seem to want to raise the cry “socialized energy!” at any discussion of energy policy.

So in that line I wasn’t surprised when the official organ of the business community, the Wall Street Journal, came out recently (October 29, 2007) with an article “The Economics of Hybrids,” pointing out somberly that “for most US consumers, they’re still a money-losing proposition.” Basically, they figure out by comparing models of hybrid / non-hybrid cars and trucks, factor in the bizarre US tax credit for hybrids, and derive a “hybrid premium” for each model, and then, with some assumptions of average mileage, cost of gas, determine how many years of driving would be required to pay back the “hybrid premium.” This is, of course, a pretty questionable analysis.

By their calculation, the American cars average a payout period of about 4.3 years, and the foreign ones (mainly Toyota and Honda) average a breakeven after around 14 years — the Prius I drive is colossally the worst at a whopping 17.9 years. So, by their calculation, hybrids are worthless to the average consumer. So the, I guess, hopefully you won’t be tempted to buy one, or if you dumb enough to do so, buy an American one.

So here’s my take on all this. Any economic calculation is heavily influenced by the input parameters, and I would point out that:

• The US tax credit system penalizes firms that make lots of hybrids by cutting out the credit after 60,000 total hybrid cars produced, thus shafting Toyota and Lexus by making their cars about $1,300 to $2,000 more expensive.
• The WSJ assumes 15,000 miles per year — I average about twice that in my cars.
• They assume a gas price of $2.79 / gallon, we are now averaging about $3.11 / gallon, and rising.
• They assume 46 MPG for the Prius, actually I average over 50, and the new Prius is better than this.
• In the case of the Prius, they compare it to the Corolla, a considerably less-well-equipped car than the Prius; a more comparable car would be the Camry, which is only about $200 more than the Prius.

So, ignoring taxes, at at my actual driving rate and assuming the actual gas cost, my payback time for the Prius vs. the Camry is a whopping 1.6 months, not 18 years (vs. the Corolla) as they state.

Finally, two key points to think about. First the tax credit — this scheme is pretty nuts. They’ll give a little credit to encourage you to buy a hybrid, but it currently has the effect of encouraging you to buy one from somebody who only makes a few of them, so that they haven’t gone over the 60,000-car limit. This rewards US manufacturers to just have a few hybrids in the stable, but not really push them as if they mattered. Either we should reward hybrid purchases, nor not, but not have this perverse incentive to “only make a few.”

And then of course, what about these hybrids? Except for Toyota and Honda, nobody has a hybrid that gets more than 30 MPG, which is nuts. The Prius gives me regularly 50 – 55 MPG, and these are the cars we should be encouraging people to buy. Just having a hybrid drive means nothing much if you don’t get some significant mileage to show for it. It can be done, the Prius does it.

But of course, if you don’t believe in a national energy policy, if you don’t believe we have a problem being dependent on Middle-eastern oil supplies, or that rising CO2 levels in the atmosphere are a problem, all this is irrelevant!

Dream on!

Storm Warning — the Future of Malware, Part 1

As if we don’t have enough spam, viruses, phishing attacks, and other forms of network-mediated malware assailing us, now we have Storm. Storm is a kind of compound malware, not so clever in and of itself, since it infects like so much other malware, via a user getting suckered into clicking a link. What is especially insidious about it is that it enslaves vulnerable machines, like a regular bot does, but then rather than going on the attack, it tends to lie there for a time, waiting for instructions. And the instructions come not from a central command center, but on a distributed 2-C (Command and Control) pathway from a smaller group of command systems. In effect, the bot-herder can jack into the botnet at many points and from anywhere, making it exceptionally difficult to intercept and contain. The bot software is also reputed to self-modify when installed, so that it can further hide itself from anti-virus cleaners.

Probably the best and readable technical overview of the Storm worm is here in Bruce Schneier’s blog.

Several pundits are predicting nothing short of the end of the world over this thing, and I grant that it’s going to be a bear to deal with, but I’m quite confident that it will be dealt with successfully. OK, so the Storm developers are very clever, but the good guys aren’t dunces, either. No, it’s much more likely to become part of the Internet background noise, just more gunk we have to filter out.

I mean, right now in my current work environment, only 3% – 5% of the emails we get in a given day are actual valid communications to someone here, the rest are spam or worse (this is by my actual count). We just filter them out, some get through, we individually delete them, and we go back to work. It’s a large problem, but it’s more of a nuisance than a threat to the business. And we all just keep emailing.

Of course, it might be placed in the hands of any of the various political terrorists around the world that are continually assailing us, they they have very little to lose if the Internet itself is rendered unusable. This I do worry about, but it still seems unlikely.

The more important issues revolve around what we might have to do to harden our defenses, and what this will lead to in terms of a “revised” Internet. We currently enjoy the Internet as an extremely free and borderless ecosystem, where data races back and forth with few restrictions, and people dream up and implement new services — and new kinds of services — that no one could have dreamed of a few years ago. Harden all this down too much, and suddenly everything turns into molasses. Not good!

So something very bad happens. Will we have to license servers or individual PCs? Will there be qualifications to connect to the Internet? Will sysadmins need to be licensed? What about our ability to publish or participate in discussions anonymously?

I’ll address these and other related issues in a future post. But I encourage you to think about it now, because if the Internet takes a big hit from criminal or terrorist elements, the legislature won’t be far behind, and we all know what kind of technicians the lawyers are.

Homeland Security Can’t Manage their Email

Yet another indication of the general lack of capability of the Department of Homeland Secutiry surfaced this week, when the recipient of a relatively routine DHS counter-terrorism email newsletter attempted to have his delivery email address changed. His request, which he apparently thought was going to the mailing list administrator, in fact executed a “reply all” and shot off the request to all 7,500 subscribers. The humor of his simple request blasting the whole list resulted in an increasing number of recipients joining in with various sage and less than sage comments, and the initial wave of activity resulted in over 2.2 million emails being generatd during the day.

Now so far, this is just a lighthearted little bungle, it does happen inside businesses or agencies, with no particular harm done except to the administrators of the email system. Once when I was at US Bank, some hapless low-level employee in the Proof and Transit department managed to “reply all” to a monthly-fluff-from-the-president email thinking he was asking his supervisor if the vacation schedule was done yet. So everybody got this email too, and some of the recipient’s email “I’m not here” notifications were sent to “reply all” list, as were 2 or 300 emails back to him telling him what he had done, all these copied everybody and ricocheted around the bank until by 11 AM the whole system croaked with overload.

So, as it turns out, it’s possible to flag certain emails as “nonforwardable” and/or “nonreplyable” so this doesn’t happen. That was new stuff, about 5 or 6 years ago. And it was internal email in a bank.

But this is the organization in charge of protecting our critical infrastructure and us from terrorists! And, it’s 5 or 6 years later! The Times’ article points out,

The accident raised questions among cybersecurity experts about how well prepared the Homeland Security Department is to defend against a cyberattack because it had trouble dealing with this computer problem.

“It is a very simple fix,” said Marcus H. Sachs, a volunteer computer security expert at the SANS Internet Storm Center. “Do they not have anybody there that understands how to fix it?”

Actually, the worse problem is, don’t they have anybody who knows how to set it up in the first place? After all, this is not something that’s never happened before. Now they may argue, we’re so busy on the really big stuff, like setting standards for shampoo bottles when you fly, that we didn’t have time to do this right. To anyone who makes that argument with a straight face, I direct you to the parable of the talents in the Bible (Matthew 25:14 – 30). In the end, the master said, “Well done, good and faithful servant! You have been faithful with a few things; I will put you in charge of many things.”

I’d like to see DHS, and especially it’s cyber-terrorism unit, so some small things right, so we had a better feeling about their being able to do complex and critical things right, and right the first time.

35W Bridge Rebuilding Goes Nowhere, or Worse

In Washington, the Democratic Congress’ drive to get us out of the disastrous war in Iraq has utterly run out of gas, not even the smallest criticism of the President’s private war could be passed. The Democrats run the danger of their mascot being changed from the donkey to the possum — roll over and play dead. Exactly what did they think they got elected to do?

Here in the Northland, we have a similar problem with paying attention beyond the news headlines — only a few short months since the 35W bridge collapsed and we seem to have lost all the intensity and focus that a disaster like this should have brought forth. No one in MnDOT is going to be held accountable, it seems, the highest bidder has been selected with no actual design in sight, and even at the Federal level a billion dollars was appropriated for infrastructure repair and maintenance, but at the same time chucked into the bill 2 1/2 billion dollars for other, non-infrastructure projects. Wow! Such dedication! Such commitment to right a tragedy! The governor states that he will provide $X million to get to work with the rebuilding, but sotto voce says that since he won’t raise taxes “unwisely,” the money will come out of school funding and some other helpless constituencies.

So the litany of monstrous incompetence continues: the Transportation Department’s emergency manager Sonia Morphew Pitt, it turns out, couldn’t be bothered to cut short a trip to the east coast to come home and, well, manage an emergency, undoubtedly the biggest one MnDOT has faced in the last decade or so; no, she stayed out there and came home when she felt like it. Heckofa job, Brownie! Granted, the governor has voiced his “displeasure” at her behavior, but so far that’s all.

But the lack of attention to maintenance issues manifests itself in a bizarre way right at Highway Headquarters in St. Paul — the MnDOT building itself is falling down while we watch. Due to 20 years of neglect and an unwillingness to actually spend money, the facade of the MnDOT building is falling off. The huge stone slabs are peeling off and to get in the building you have to pass through a reinforced tunnel, kind of like going into a bomb shelter. But this outrageous situation is apparently not an issue for the Governor and his Lieutenant-Governor / MnDOT Commissioner Carol Molnau. But spend money to fix the building? Not on their watch!

And finally, talk about taking a solid, aggressive stand at dealing with our rapidly-eroding civil infrastructure: various highway officials around the country are standing up and bravely proposing that — yes — the evaluation terminology should be changed because “the public is getting alarmed” at all these terms like “fracture-critical” and “structurally deficient.” So, presumably if we change these alarming terms, the forces of gravity will be held at bay. How simple! Star-Tribune columnist Nick Coleman, one of the few who refuses to let all this die and be swept under the rug, proposes that we should call it “faith-based bridges: close your eyes and pray you get across.”

I’m tempted, but afraid, to say “just when you think you’ve seen it all . . .”

Growth in Hybrid Cars

See my own previous posts on my experience with my hybrid Toyota Prius.

A new study conducted by the R. L. Polk Company and released by the Minneapolis Star Tribune documents what is pretty obvious if you keep your eyes open on the roads lately — not only are there more gas-saving motorcycles and scooters out there, but there are a LOT more hybrid cars. The Midwest leads the nation’s regions in sales growth, and I’m proud to say that Minnesota leads the Midwest. In fact, we are second in the nation only to California: for the first seven months of 2007 versus the same time in 2006, California’s sales of hybrid cars increased over 150%, while ours here increased 98%. The nationwide average was around 55%.

Back in 2000, when my Father bought our family’s first Prius, there were only 115 of them sold in the state. In 2006, there were nearly 3,800 sold. Now that’s not a huge absolute number, I grant you. But every bit of sanity helps — every bit of gas saved is that much we are less in thrall to the kings and dictators in the Middle East. And the curve of the graph, rising at about a 70 degree angle, is nothing but good. And even more to the point, the sales winner in the Midwest in absolute numbers is Michigan, the home range of the crop of dinosaurs known as the Big 3. Is it any wonder they’re struggling to stay alive? Get with it, guys!

Separately, JD Power and Associates notes that only about 2.3% of vehicles nationwide are hybrids, and many of those (especially the SUVs among them) are optimized for power, not mileage, so although they are “hybrids” in the power train, they aren’t doing nearly as much good as they could. Again, not a huge number, but as gas prices inexorably increase and if continuing political disruption in the Middle East disrupts our oil supply and leads to rationing, the preference of the public for more rational vehicles will show itself.

And of course public policy can influence this. One reason California has so many hybrids is that a number of cities provide access to express lanes, preferred or no-charge parking, and other perks to hybrid owners. This can work here, too, and (to our tax-obsessed state government) note that these perks have essentially no tax or spending impact. Ditto for motorcycles, which I note already enjoy considerable preferences in road access and parking leniency.

So, get with it. Sell your Hummer or SUV, and buy a motorcycle and a Prius, go heavy-green all the way.

Into the Boundary Waters Canoe Area

Last week I took a complete, cold-turkey technology break and headed up into the Minnesota-Canada Boundary Waters via canoe, in the able company of my dear wife Mary and my youngest daughter Sarah. No email, no phone calls, no checking the weather radar — just the old standby maps and compass. Well, OK, I did have the phone along, just (strictly in the Interests of Science) to see if I ever DID have any cell coverage anywhere (yes, analog coverage at Phoebe lake, on a hill), and I did sneak a peek at my GPS, but never to navigate. But other than that, it was just us, the water, and the sky. If you’ve been there, we put in at Kawishiwi Lake and then following the lady chain through Polly, Phoebe, and numerous others, ending up back at Sawbill Lake and Sawbill Outfitters.

And it was wonderful. Takes about a day, but suddenly you re-connect with your ability to focus directly on the here-and-now in front of you. Absent street lights and high-efficiency florescent lamps, you are forced into the rhythms of the environment: waking by daylight, turning in at dark — there was a total burning ban, so no campfires to keep you up. You take it as it comes, sun, drizzle, wind, calm, waves, beaver dams . . . they’re just there and so it goes.

But were we without technology, actually? No birchbark canoe, not even our old Grumman ironboat, we rented a vacuum-bagged Kevlar Wenonah that for a 20-foot boat weighed only 49 pounds, a real blessing on the portages. We had a mix of packs, including traditional Duluth packs and a similar pack by Granite Gear, but inside them were high-strength polyethylene bag liners. And we had a pump-style water filtration unit to remove bacteria, protozoa, and viruses. I had a new flashlight with an LED instead of an incandescent bulb. We even had along a bent-shaft paddle, optimized for efficiency through experience at the Olympic Games.

So maybe it was only the communication technology that we eschewed. Technology that is there to enable us to socialize with others, but in trade for this also puts us at the mercy of them: to interrupt us, to demand our attention, to point out a problem and solicit our solution, to unceremoniously and at the touch of a button yank us out of our canoe and drop us into a conference room somewhere. So, maybe getting away from all that allows us to recapture our own time and attention, just for us our own selves!

So we slid across lakes and through small rivers, around seemingly magic bends and past islands into invisible bays, and while each vista was unique they were also all the same — rocks to the waterline, trees that seem to make a solid wall behind the shores, and always the water. The water that carried the voyageurs, that carried the canoes of the Ojibwe, the Huron, and the Cree, that carried casual travelers before us, now carries us equally well. More than our canoe, it carries our spirits as deeply into the calm-giving wilderness as we dare to let it take them.

35W, Katrina, and the Dismal State of our Infrastructure

This post ought to be titled, “The Engineers Were Right, and the Politicians are Spineless Invertebrates,” but then people would complain that I’m just whining and casting stones because I’m an engineer. Well, I’m casting stones, but no whine here — I’m really frosted about this. I’ve driven that bridge too many times to be satisfied with the “buck stops somewhere else, we are not responsible” mentality of not only the Pawlenty administration, but many of the ones that preceded it, and not only here in Minnesota, and Louisiana, but lots of other places too. It’s glamorous and fun to build, but just dull and boring to maintain, and maintenance costs money that no one sees.

So in the collapse of the 35W bridge in Minneapolis we see a slight miscalculation of a “no taxes” administration and it’s “we don’t have a revenue problem, we have a spending problem” Commissioner of Transportation. Although with gross dishonesty they’ve stated “money was never an issue,” that’s patent drivel. Money was, and is, all of the problem in the precipitous decline of our national infrastructure.

It’s also blatant dishonesty to say, as the Pawlenty / Molnau administration has done, that “we had no warning, we were never told!” Just like Bush at New Orleans, they are all surprised by this sudden problem, which they thought they had pushed off safely into the future. This in spite of constant warnings from engineers about the Levees in New Orleans, or the progressive structural problems in the 35W bridge (and other similar bridges in Minnesota, of this and other designs), they are surprised, and yet not to blame! Their own engineers complained for 15 years about the poor condition of the bridge, but if stalling action saved money today, the Pawlenty administration did it so they could say, “we held the taxes down.” They hoped, apparently, that the bill for this neglect would come due in someone else’s administration.

The Transportation Commissioner piously notes that “we have a maintenance plan, within the resources we have available,” while the Governor vetoes gas-tax increases targeted at road repair, that would have provided these resources. QED! We have no problem!

But the chief tax-cutting think-tank, the Taxpayer’s League, now tut-tuts and says “lets not start the blame game,” but so help me there IS blame here, blame laid at the doorstep of the last several Transportation Commissioners, and the Governor, and the layers of faceless bureaucrat-managers who watered down the straight talk in the engineers’ and bridge-inspectors’ reports into the relaxed pablum that let these people — spineless politicians all — look aside and hence “be surprised” when the bridge fell.

Make no mistake, we are consuming our civil infrastructure — roads, bridges, dams, power lines, parks, public buildings, pipelines, the air-traffic control system, and more — as if it were endless and as if we had no responsibility for it at all. We’re consuming it because we don’t have the courage to tax ourselves to repair what we have inherited from our forebears. It’s that simple.

There are more buzzards coming home to roost, mark my words. We spend money without end in Iraq to combat our enemies the terrorists, but for maintenance of our domestic infrastructure, to quote Pogo the Possum, “We have met the enemy and he is us.”

Making Us Safe from Terrorists

Ever leery as I am about only throwing stones at other people and never offering anything useful as a solution, I now present my Four Great Suggestions for reducing the terrorist threat to the US. I do this as the current Bush administration seemingly seeks to prepare us for additional losses of personal rights and privacy in the name of “combating terrorism.” And administration shills like Senator Rick Santorum have started touring the country drumming “there’s going to be another attack, there’s going to be another attack” to try to scare us into submission. So rather than meekly giving in to this bogus raising of boogeymen, let’s just actually look at why these people are attacking us, and counter those reasons! Much simpler and more cost-effective.

I presented these earlier in a comment I posted to an article on Newsvine, which you all ought to be reading anyway, but here is my solution to this mess we have walked into:

1. Dramatically reduce our dependence on middle-eastern oil so they have less leverage on us;

2. Stop attempting to meddle in middle east politics and issues, those people have to work it out for themselves, they have to kill until they’re sick of killing and finally want to find common ground with each other;

3. Stop depending on a spy-counterspy mentality to save us, the Brits and the Germans catch terrorists with good old-fashioned police work, and we can do this too, we don’t need to sacrifice our hard-won freedoms on the altar of Homeland Security;

4. Ensure that we remain a (however flawed) melting pot that can absorb immigrants and make them part of a long-term American dream. We must BE the shining beacon on the hill to the rest of the world, we must implement in our hearts Emma Lazarus’ poem on the base of the Statue of Liberty:

Not like the brazen giant of Greek fame,

With conquering limbs astride from land to land;

Here at our sea-washed, sunset gates shall stand

A mighty woman with a torch, whose flame

Is the imprisoned lightning, and her name

Mother of Exiles. From her beacon-hand

Glows world-wide welcome; her mild eyes command

The air-bridged harbor that twin cities frame.

“Keep ancient lands, your storied pomp!” cries she

With silent lips. “Give me your tired, your poor,

Your huddled masses yearning to breathe free,

The wretched refuse of your teeming shore.

Send these, the homeless, tempest-tost to me,

I lift my lamp beside the golden door!”

None of this has the satisfaction of slaughtering people we disagree with, or reducing their countries and economies to absolute ruin, and watching their children starve in the street or be blown to smithereens because they disagree with our politics, but I believe in the long run it will bring us more safety and security than comes out of the barrel of a gun. “He who lives by the sword will die by the sword.” The standard we set in the world is the standard by which we, and our civilization, will be judged. What will that standard be? Rule of law, or Guantanamo? Geneva Convention, or torture? Freedom, or repression? It’s our choice, in fact, it’s US.

The Truth About Hybrid Cars, Updated

It’s been slightly over a year since I wrote my first post on my Toyota Prius, and I’m now right at 100,000 miles on the clock, so I thought I’d write a quick update on my experience. Interestingly enough, that post is one of the most popular posts I’ve written, and accounts for about 30% of the accesses to my archived posts, mainly from links from Google. So obviously it’s a popular subject with lots of people.

So, here’s where I am:

1. For the last 450 miles on my consumption monitor, I am averaging 52.4 MPG in my normal driving cycle, which would be classified by the EPA as “mixed suburban.” It’s in the high 80s to low 90s here in Minneapolis, so this should be the peak of my mileage, and last year during these hot spells, when the battery chemistry is most active, based on past experience I would be expecting to be getting about 55 MPG or so, therefore my mileage appears to have declined by 2.5 MPG, or about 4.5%. this is probably due to wear in both the gas engine and the battery.
2. Due to both my careful driving style, and the regenerative braking on the Prius, I am still on the original brakes. All that deceleration has been used to charge the battery rather than just heat up the brakes!

In the maintenance department:

1. I have given it only the recommended maintenance, nothing fancy, mainly oil changes at Rapid Oil. I’m using a synthetic blend since this helps an older engine seal at the rings and the valve stems, but that’s all, no other additives or gizmos.
2. There was a recall on the starting battery, a 7.5-volt gem (my only real irritation with the car). The battery was free but the hold-down was changed (and has been changed in later production models, and they charged me to replace it, which I thought was dumb, but then anybody who puts a 7-volt battery in anything but a flashlight can’t be trusted to manage the hold-down, I guess.
3. The only significant maintenance item has been a failure in some part of the driving battery management circuit. I left the car for a long weekend when went to the lake, and during that time it somehow managed to discharge itself to zero. Interestingly, the gas engine is not able to cold-charge the 240-volt driving battery, and when it detected what was up it simply refused to run. I had it towed in and they replaced the offending circuit board, but then had to bring the driving battery back from the dead, which takes a special charger of which there is only one in the region — and fortunately they had it at one of their other dealers, so I was soon back on the road.

So that’s it. The car’s still steaming along, the core of my car pool, looking toward 200,000 miles. Still regularly gets better mileage even than my Harley. I have no complaints and in fact I would buy another one in a minute.

To the various people who told me it would never last in daily use, HA! To the automotive writers and pundits who said that it’ll never really get that kind of mileage in real life, HO! As the sticker in my back window says,

EAT MY VOLTAGE.