Tuesday, September 30, 2008

Most interesting article in months

Yesterday I tweeted about this article from the WSJ.

It describes a web site with an immense community of people--all of them watching a web cam looking out over a kid's front lawn. Purpose of web cam: surveillance--catch thieves of Obama signs.

Under such circumstances, with "squirrels moving about" being the one of two exciting events to happen thus far, statements such as "people with too much time on their hands" come to mind, and yet, is it the case?

The web site serves as a community, formed ad-hoc and yet not at all ridiculous. While the members obviously care for the reason they are there, namely, the Obama sign, and they would do quite a bit to make that point clear, they are followers and leaders in an online community with its own internal memes and pressures.

I can't predict if this community will last at the current interest levels over-time, but it is an extremely interesting occurrence.

The stated fact sign stealing in indeed a problem in several states, combined with direct communication between Obama supporters in different geographical locations outside of their own social circles would be strong enough, but add to that:

1. A feeling of fulfillment with a purpose -- watching the sign.
2. The home feeling of belonging to this formerly anonymous family.
3. Low-key moderation, but with clear leadership and stated occasional reminders of boundaries of discussion.

And you have an intriguing group dynamic.

The Obama sign, while important, is in my unverified opinion more of a badge which ideologically everyone there respects and needs in their "back yard" (pun intended) for political muscle in the group.

I'd be following this in the news, if follow-up stories are written (they often aren't). This also shows people can find alternative ways of discussing what they care about with the continued degradation of what I'd consider news and discussion forums, with clear agendas and untrustworthy reporting, on both sides.

This is indeed the most interesting story I read in months. And as a secondary point, I know two other folks who dealt with local security problems such as theft and bad players in their neighborhoods by installing such cameras.

Gadi Evron,

Follow me on twitter! http://twitter.com/gadievron

Monday, September 29, 2008

Introducing yourself

A friend of mine found he was introducing himself poorly when he started his startup. I twittered about it, but after three message updates decided it was worthy of a blog post.

I did some online research (read Googled) on what the "repeater machines" (learning how to be human beings/business people/coaches/FOM--my acronym for Fad of the Month), were saying about the proper way of doing so.

First hit in Google seemed to be built right for my friend, I never read past the first paragraph though.

The search was worth it though, as pretty soon I came across some very funny links:
Bad ways to introduce yourself to women
Introducing yourself to large-breasted women

How do you introduce yourselves?

My friend originally started with: "ahh, I program, err.. I have this startup but I can't tell you about it". He will soon find his way, what is yours?

Me? I often skip introductions all-together.

"Introducing yourself" is not to be confused with the important 30-seconds/200 words "elevator pitches", which are good not just for new ventures but to get your point across--something I still struggle with daily being naturally inclined to brain-storm my way across the world.

Gadi Evron,

Follow me on twitter! http://twitter.com/gadievron

Friday, September 26, 2008

Estonian Cyber Security Strategy document -- now available online

The Estonian cyber security strategy document is now available online. I must say once again the concept of a national cyber security stance is quite interesting.

Those who wish to download the document:

My contact there specified she'd be happy to answer any questions. To avoid spam of her inbox, email me for her address.

Gadi Evron,

Follow me on twitter! http://twitter.com/gadievron

Thursday, September 25, 2008

Internet Vigilantism

The good people at Renesys wrote a blog about what they call "Internet Vigilantism".

While I feel I can not yet fully comment on the whole Atrivo / Intercage depeering movement, there is an underlying strategy to consider. I will comment at a later date.

The blog above asks:

While I'm not a big fan of cyber-crime or the providers who knowingly host these activities, I can't help but wonder where law enforcement is in this story. We still have laws, right? There is a lot of questionable activity and content on the Internet that is thriving and has no shortage of suitors. Even the most cursory look of of what passes for "content" should convince anyone that it's pretty hard to get thrown off the Internet — it just doesn't happen. But since it just did, I have no trouble believing that Atrivo had it coming. It's tough to piss off the entire world, especially when you have the money to pay them off. I only wonder why the cops didn't get there first [...]
My response is, 'okay', but please don't call it Vigilantism.

There is a difference between Vigilantism as it is perceived today and Vigilantism as it is in the dictionary. It means neighborhood watch.

When the Police is not around, that is something you need. "It's for the children".

Gadi Evron,

Follow me on twitter! http://twitter.com/gadievron

Tuesday, September 23, 2008

Disintegrate! Gust of wind! Can we get back to saving the world already?

I've recently been involved in an email thread which, partly by my doing, unfortunately degraded into a dirty flame war for a few hours.

Whenever meta discussion takes over real discussion, frustration builds up inside me. This comic strip from today which a friend just sent me, seems to explain the concept much better than I can.

Order of the Stick: http://www.giantitp.com/comics/oots0595.html

Gadi Evron,

Follow me on twitter! http://twitter.com/gadievron

Estonian Cyber Security Strategy document, translated and public

The Estonians have a public version of their cyber security strategy translated into English (currently available offline only). The concept of a national strategy for cyber security is one which I am particularly fond of (also see previous post, An Account of the Estonian Internet War).

The following is the Summary section from the document which might be of interest (Estonian Cyber Security Strategy — Cyber Security Strategy Committee, Ministry of Defence, ESTONIA, Tallinn 2008):

* * *

The asymmetrical threat posed by cyber attacks and the inherent vulnerabilities of cyberspace constitute a serious security risk confronting all nations. For this reason, the cyber threats need to be addressed at the global level. Given the gravity of the threat and of the interests at stake, it is imperative that the comprehensive use of information technology solutions be supported by a high level of security measures and be embedded also in a broad and sophisticated cyber security culture.

It is an essential precondition for the securing of cyberspace that every operator of a computer, computer network or information system realises the personal responsibility of using the data and instruments of communication at his or her disposal in a purposeful and appropriate manner.

Estonia's cyber security strategy seeks primarily to reduce the inherent vulnerabilities of cyberspace in the nation as a whole. This will be accomplished through the implementation of national action plans and through active international co-operation, and so will support the enhancement of cyber security in other countries as well.

In advance of our strategic objectives on cyber security, the following policy fronts have been identified:

  • application of a graduated system of security measures in Estonia;
  • development of Estonia's expertise in and high awareness of information security to the highest standard of excellence;
  • development of an appropriate regulatory and legal framework to support the secure and seamless operability of information systems;
  • promoting international co-operation aimed at strengthening global cyber security.

Policies for enhancing cyber security

1. The development and large-scale implementation of a system of security measures

The dependence of the daily functioning of society on IT solutions makes the development of adequate security measures an urgent need. Every information system owner must acknowledge the risks related to the disturbance of the service he or she provides. Up-to-date and economically expedient security measures must therefore be developed and implemented. The key objectives in developing and implementing a system of security measures are as follows:

  • to bolster requirements for the security of critical infrastructures in order to increase its resistance, and that of related services, against threats in cyberspace; to tighten the security goals of the information systems and services provided by the critical infrastructure;
  • to strengthen the physical and logical infrastructure of the Internet. The security of the Internet is vital to ensuring cyber security, since most of cyberspace is Internet-based. The main priorities in this respect are: strengthening the infrastructure of the Internet, including domain name servers (DNS); improving the automated restriction of Internet service users according to the nature of their traffic, and increasing the widespread use of means of authentication;
  • to enhance the security of the control systems of Estonia's critical infrastructure,
  • to improve on an incessant basis the capacity to meet the emergence of newer and technologically more advanced assault methods;
  • to enhance inter-agency co-operation and co-ordination in ensuring cyber security and to continue public and private sector co-operation in protecting the critical information infrastructure.

2. Increasing competence in cyber security

In order to achieve the necessary competence in the field of cyber security, the following objectives have been established for training and research:

  • to provide high quality and accessible information security-related training in order to achieve competence in both the public and private sectors; to this end, to establish common requirements for IT staff competence in information security and to set up a system for in-service training and evaluation;
  • to intensify research and development in cyber security so as to ensure national defence in that field; to enhance international research co-operation; and to ensure competence in providing high-level training;
  • to ensure readiness in managing cyber security crises in both the public and private sectors;
  • to develop expertise in cyber security based on innovative research and development.

3. Improvement of the legal framework for supporting cyber security

The development of domestic and international legislation in the field of cyber security is aimed at:

  • aligning Estonia's legal framework with the objectives and requirements of the Cyber Security Strategy;
  • developing legislation on protection of the critical information infrastructure;
  • participating in international law-making in the field of cyber security and taking steps internationally to introduce and promote legislative solutions developed in Estonia.

4. Bolstering international co-operation

In terms of developing international co-operation in ensuring cyber security, the Strategy aims at:

  • achieving worldwide moral condemnation of cyber attacks given their negative effects on people's lives and the functioning of society, while recognising that meeting the cyber threats should not serve as a pretext for undermining human rights and democratic freedoms;
  • promoting countries' adopting of international conventions regulating cyber crime and cyber attacks, and making the content of such conventions known to the international public;
  • participating in the development and implementation of international cyber security policies and the shaping of the global cyber culture;
  • developing co-operative networks in the field of cyber security and improving the functioning of such networks.

5. Raising awareness on cyber security

Raising public awareness on the nature and urgency of the cyber threats might be achieved by:

  • presenting Estonia's expertise and experience in the area of cyber security at both the domestic and international level, and supporting co-operative networks;
  • raising awareness of information security among all computer users with particular focus on individual users and SMEs by informing the public about threats existing in the cyberspace and improving knowledge on the safe use of computers;
  • co-ordinating the distribution of information on cyber threats and organising the awareness campaigns in co-operation with the private sector.
Gadi Evron,

Follow me on twitter! http://twitter.com/gadievron

Wednesday, September 17, 2008

ISOI 5, Tallinn, Estonia - Summary!

ISOI stands for Internet Security Operations and Intelligence. It is a professional conference, but with a very casual atmosphere. It brings together individuals who work daily to secure the Internet and respond to global security incidents, mostly as volunteers. They are often employed in government, law enforcement, ISPs and Telcos, anti virus, security industry and academia.

We often invite some policy makers as well, but they are there to learn rather than participate.

The conference is run under the Chatham house rules, with the added caveat of having to seek permission from the presenter before mentioning in public what was talked about.

When Hillar Aarelaid first approached me about hosting ISOI in Estonia, my first reaction was: 'cool'. My second was: 'ahhh'. After all, while going to Europe is something we wanted to do for a long time now... who would go as far as Estonia? I said 'go for it', and the rest is history.

How do the rednecks say: 'Boy!' I am happy I took the chance. I forgot the venue factor. You can judge how many people will attend the Virus Bulletin conference by, for example, if there was a conference there before, and how good of a vacation spot it is. Dublin was a huge hit, as was New Zealand. Get my drift?

Within two days of announcing ISOI 5, we had 50 Americans who RSVP'd as attending. We had two Europeans. Mind-boggling.

As the conference approached, more Americans RSVP'd and we found it amazing we had barely the same number of Europeans. We later found out that there were five other conferences before or immediately after ours, not to mention one in Sweden on the very same dates. The scale was then tipped and we ended up with lotsa Europeans, but the lesson about what vacation venues mean to Americans was learned.

Randy Vaughn once again came to the rescue with preparing the online schedule, and Hillar along with the rest of the Estonian CERT made our stay amazing, and ran one hell of a conference.

Conference highlights
1. Estonian girls. Enough said.
2. No tax on alcohol. Enough said.
3. No sleep in between conference days. 'So say we all!' :)

Two evenings before ISOI, before the local Estonian CERT conference, we all went out to an Irish pub, called St. Patrick's of all things. Hillar picked up the tab.

The evening before ISOI we all went out to a local place across from the Viru hotel, where after drinking profusely for hours and eating dinner, the bill was only 200 Euros or so (I just got diet coke, shame on me).

Chad from Sunbelt simply picked it up instead of gathering money, saying it costs less than dinner in Vegas--he is a great guy. Danny McPherson from Arbor picked up what was ordered later, which couldn't have possibly been more than 50 Euros--Danny is one of the more fun guys around. Lots of thanks to them both. Alcohol is really cheap over there. Think the night ended there? Think again.... but let's talk about the conference now.

While ISOI is centered around the trusted and vetted communities of folks who spend time protecting the Internet against evil cyber criminals (ooh), one highlight of the conference for me was a lecture named The Limits of 'permitted self-help' in Internet Security and Intelligence by Alana Maurushat, an Academic from Australia.

She opened the discussion of how far can "vigilante" groups (I hate that term, especially when it is wrong) go, what is legal and what isn't. Needless to say, while she was interesting, her initiation into our group was by fire. Several of us, while appreciative, were "active particpants".

She started by showing pirates on the screen, followed by an entire room yelling "Argh!!!". Good start.
The interesting discussion aside, she had to keep saying "permitted self help". I kept wanting to ask "right or left hand?" but eventually ended up using Aussie terminology (as she is from Australia, after all), saying "so, what are these wankers all about?"

Eventually I just said she must stop implying we all masturbate for a living, but it was a good time and a great discussion. She had a cold, and it was her birthday. Trial by fire, indeed. I hope she comes back, she added quite a bit to the mix.

Rick Wesson showed a map of abuse on the Internet inspired by an xkcd comic, and many other presentations filled the day, which unfortunately I barely had time to listen to. While Hillar was amazing and ran most of the conference, being the organizer keeps you busy. The rest of the presentations I can't really talk about without seeking permission (see first paragraph about Chatham house rules and caveat), so...

At the end of the first day we gathered some of the defenders of the Internet "war" of last year on a panel to answer questions. Estonians are very shy, so moderation was problematic, but it ended up being pretty interesting.

In the evening everyone went to a local restaurant/bar with local Estonian food, for the official "reception". Microsoft, Hansapank and SEB picked up the bill for the food, and Norman volunteered to pick up the drinks tab. I asked them to cover 1000 Euros, and after the first evening we never believed they would pay more than 500, given the low prices. It ended up being 1200 Euros. Unbelievable, but some of us can drink! Thanks Norman!

The second day had many neat presentations, but the second half of it was filled with presentation after presentation on the cyber conflict in Georgia last month, and one presentation on RBN by Jart Armin.

As a surprise (for me as well), Hillar flew in last second a system administrator from one of Georgia's banks to discuss how things went from her perspective. She gave a very good presentation, but the surprise he intended for me was ruined. Hillar was somewhat annoyed when I came to him with her business card. How did I find out, you ask?

"Hello, who are you? :)"
"I am Masha, I am lecturing tomorrow"
"No you are not, and I should know.. this is my conference"

I ended up giving her my copy of "Stranger in a Strange Land" by Robert A. Heinlein, which she earned (but left me book-less for the flight back home).

The rest is history. :)

Quite a surprise from Hillar!

The last evening of ISOI is when people often go off with friends to eat dinner. The Viru hotel bar seems to have become the main gathering point from which people went in groups, came back and left again. I sat back with my laptop, staring out the window as Estonian girls passed continually, while trying to hold up my end of several conversations.

It was a very good ISOI, and a very fun one, as well. Next one is around February, in Dallas TX. After that we will have one in Norway.

Special thanks once again go to the Estonian CERT: Toomas (who helped organize), Tarmo (who operated everything), Aivar (who regardless of anything, I am just happy was there), Kathrine (who made sure we all had food, and took care of us) and of course, Hillar!

Gadi Evron,

Follow me on twitter! http://twitter.com/gadievron

Tuesday, September 16, 2008

I should be shocked

From the nothing-is-holy and it-unfortunately-makes-sense departments.

I just received a 419 Nigerian spam attempt, but the means in which it reached me should have my blood boiling with anger.

It was sent as a comment to a eulogy I wrote in a Guestbook opened after the death of a friend.

How dare them, you ask? It only makes sense--I opened the message, didn't I?

Gadi Evron.

Follow me on twitter! http://twitter.com/gadievron

Sunday, September 07, 2008

I'm interested, but in you

[syndicated from a friend's blog where I posted this anonymously a few months ago]

Walking happily in the mall carrying my brand new Mac, a salesgirl caught my eyes and asked me to come over.

I walked closer stating clearly "I will come over, but I don't want to waste your time. I'm not buying anything." She was happy for me to approach regardless, smiling. I think I smiled back.

As soon as I got near the stand, she took my hand, kindly (felt nice) but firmly, and led me closer, turning me toward the stand and her. I was keenly aware of how this hand-hold made my body automagically follow her and of how breaking physical contact is difficult.

The salesgirl began to slowly fold the sleeve on the hand she held, probably preparing me to smell something, still touching my hand as she chatted me up. "Why do you have a Black Hat shirt but no black hat?"

I decided being nice and letting her flow with our chemistry, manufactured or not, is more than okay. How to simplify the answer though?

"I'm a hacker" *smile*

At this point, sleeve pulled back and hands removed she tried to convince me to try something on, I considered the "I'm allergic" excuse, but saw no reason to lie "Thank you, but I am not interested." I said with a finality.

"You bought a laptop?"
"Yes, just got out of the Apple store." Which incidentally, is right in front of the stand, and I was carrying the laptop case.
"Have you ever been stuck at an airport for like eight hours? What do you do for so long? Me it just drives nuts."
Raising my eye-brow but not missing a beat, showing real interest, I replied "I was once in London for six hours, I went to the center, ate lunch, and got back just in time for my flight."
"Yes," she said, slightly pouting "but what if you are stuck there for eight hours with nothing to do, what do you do then?"

When she left my hand alone. I waited a bit, and slowly started pulling my sleeve down while talking.

"It is always fun to get out of the airport and explore."
"Always?" she insisted.
"Sleep works. I really hate the Frankfurt airport, and there is nothing to do in Frankfurt." I rolled up my eyes "I was once stuck there for ten hours and just went to sleep."
"The laptop must help" she offered.
"Why, of course! The first thing I do when I get to the airport is look for food," *pause* "Obviously" *smile* "Then I start looking for a power socket for my laptop".

She tried again.
"How about this here..."
"I am not interested in creams."
"Ah, this is for your nails." *smile*
"Thanks, no." *smile*

Maybe my smile was an invitation incongruent to my verbal negation, but she kept going. When someone smiles at you--you often smile back whether you know it or not.

"Are you interested in me," *very slight pause* "showing you this here?" *smile*
I considered saying yes again and the allergic excuse tried to pop up, then with a large smile filling me and my face I heartily responded "I am interested in you, *slight pause* "not what you offer." *big smile* "But thank you so much."

Usually I'd not refuse, but I am not going to buy anything so why waste her sales time?

*Almost awkward pause* I followed up.

"You are good. If I was not aware of what you are doing, building rapport, you'd have me wrapped around your finger by now."
"Thanks, tell that to my boss." Who she pointed to. He was very interested in our conversation through-out, although he maintained his distance.

I half turned to go, and looking back from my shoulder "Can I ask you guys a quick question?"
"Sure" she said. She was still looking at me and nice, but not as excited and slightly pouting.

"Well," I began "again, you are very good, but did anyone teach you..."
She softly cut in "The story was true."
"I am sure it was," *smile* "but before you had your own story, did anyone teach you an example story to use?"
"No," she said "it's all mine." at this point the boss was also in the conversation, although he never really spoke. He leaned in and had his half smile of amusement and interest changed to one of interest and sarcasm.

I took my cue, thanked them both, and left.

Four points:
1. Holding my hand (shaking it then not leaving?) gave her control over me to make sure I stayed and move me around. It made us closer instantly. Maintaining touch opened me to her approach and made sure I listened. Even with the real-time analysis of what she was doing, it was slightly difficult for me to not do whatever she asks.

Powerless to stop it or not, me "letting" her fold my sleeve, although done slowly while keeping eye contact with me (so that I barely notice), implies that I already showed interest in what she offers. Regardless of me clearly stating otherwise. Having done that, why not try some perfume? It would be silly to roll the sleeve back down without trying, right?

2. She attempted to create rapport with me by speaking about my Black Hat shirt. I let her, but did not agree to buy. She may not have known much about hacking, decided I required a more intelligent approach or chose to use a different story to create more rapport.

Picking on another environmental cue, she spoke of my new laptop with the airport story. Perhaps my accent helped her spot me as a foreigner, but a separate story helped us feel more familiar with each other and took longer to explore.

3. When I said I am not interested in creams, she immediately disarmed me with "nails". This took me back a moment as I am a guy, and not a very beauty-aware one.

It was a nice and natural way to change the subject and kill my objection--what she said (nails) wasn't as important as this negation (don't worry). In my case though it wasn't the best approach--Especially as I didn't shave in two weeks. It should have screamed at her.

4. Although said in a flirtatious manner and not offensive, my "I'm interested in you, not what you sell" was a carbon copy of her disarming techniques. She couldn't break rapport, especially since I kept the chat with a smile after that.

Turning to leave then staying, but talking almost as in an after-thought without facing her, made her feel she isn't stuck with me and allowed me to explore her sales techniques without being too threatening, especially as I am four times her size. She probably lied, though.

All-in-all, it was a fun conversation and I didn't waste more than two or three minutes of her time. I didn't realize I could analyze her sale so easily. I can't wait to try this again in a year when I know more and see what I spot then.

Perhaps with a more advanced sales person such as an insurance agent, who will be more sophisticated. Seeing my progress is a big boost to my enthusiasm.

Gadi Evron.

Follow me on twitter! http://twitter.com/gadievron

Saturday, September 06, 2008

Cyber crime: an economic problem

During ISOI 4 (hosted by Yahoo! in Sunnyvale, California) whenever someone made mention of RBN (the notoriously malicious and illegal bulletproof hosting operation, the Russian Business Network) folks would immediately point out that an operation just as bad was just "next door" (40 miles down the road?), working undisturbed for years. They spoke of Atrivo (also known as Intercage). The American RBN, if you like.

In fact, while many spam operations use botnets and operate all around the world, a lot of the big players own their own network space and operate hosting farms, which are constant and "legitimate", right in the US--for years now.

While we may not be able to make contact and mitigate incidents in some countries, these operations inside the United States of America run undisturbed. They register thousands of domain names every day and fuel a whole economy, starting with spam continuing with phishing, malware and DDoS attacks, and ending in child pornography and more spam.

For years the Internet has become increasingly "dirty". It isn't just about the thousands and millions of concurrent security incidents (automated, malicious code-based and other) happening every minute of every day.

It isn't even about the next stage, the botnets and massive fraud attacks. It's about the problem not changing. The Bad Guys (TM) or miscreants as some of us tend to call them (I prefer criminals) are a business. They have R&D, operations, outsourcing and so on. They collect statistics to make sure their revenue stream is maintained, and act to rectify the situation if it isn't.

They (ab)use the Internet for their business, but have shown, in old Russian war style, that if you go against them, they are not afraid of destroying this reveue stream called the Internet. Scortched Earth is an acceptable strategy. The criminals established a working deterrence on the Internet, as unlike us, they are willing and capable of using their power, to let the Internet go (root server attacks, Blue Security incident, etc.).

To change this equation the first realization we had was that this is an economic problem.

Changing the Economic equation
To impact their business you have to change how they treat it. This comes down to a basic cost vs. benefit calculation:
  • Cost (earning less or spending more)
  • Benefit (earning more or losing less)
Meaning, if it costs them one cent to send out 10 million spam messages, they are already spending more than they should. If they only earn a million USD a day, they are behind schedule for their qarterly revenue goals. Assymetrical much? :)

Anecdote: some UK banks lose over a million POUNDS each every DAY during phishing and banking malware attack waves.

We used to be able to impact their cost by "killing" their botnets, or making sure phishing sites stayed "on the air" for less time.

They have contingencies, design and operations to ensure they are never "down". They register domains for use just for a few minutes, and then discard them. Their botnets immediately jump to a new location if one "goes down", if it wasn't just a temporary location to begin with.

Graceful degradation is terminology not reserved just for the house of representatives.

This is not always true. When "bullet proof" hosting is found, they don't need to jump around. Example, some phishing sites hosted on Atrivo's IP space have been up and running since early 2007.

By taking down malicious sites, or as we like to call it, whack-a-mole (it just pops up somewhere else) we played the game, and they got better at what they did--they evolved.

The answer was: law enforcement. If the RISK factor became high enough, we could change the economics of the problem space.

Unfortunately, while having good intentions and good people, law enforcement is:
  • Considerably under-staffed
  • Hardly able to communicate inside the US
  • Barely able to communicate with agencies in other countries
  • When able to communicate, it often takes up to a year (unless they go off the books and talk to the folks directly rather than through Interpol)
  • When successful, often takes years (more than two) to build a case
  • Then, success is rare in comparison to the number of incidents
So what are we to do?

Law enforcement vs. maintaining our networks
At some point every network operators comes to this fork in the road. "Do I maintain my network and kick this SOB off my network, or wait for law enforcement?"

The answer should be self-evident by now, best intentions included.

This ties back in to the current situation with Atrivo / Intercage, which we will discuss later.

Gadi Evron.

Follow me on twitter! http://twitter.com/gadievron

Friday, September 05, 2008

RIP: Kevin Martin :(

Kevin Martin, a funny, nice, knowledgeable, tolerant and smart person, passed away today from a heart attack while being treated for colon cancer.

In this post I will share some of my thoughts, and some of his text. Please feel free, if you knew him, to share some more of the things he said and wrote in the comments section below.

He was an anti-spam community member, a science fiction fan, and an inspiration. I did not know him very closely, but I am truly sad. Our interactions over the last several years were always a pleasure, and when I heard of this my only thought, for at least 10 seconds, was:

But I couldn't reply to the message which told me of his passing with NO!
I wouldn't convey my soaring emotions, with NO!
I could only convey them in a proper fashion, saying it is sad news and a bad day. Bugger that.

That's not enough. For those of you who read this post, I searched for and quoted some of Kevin's email interactions of the past couple of years, to give you a taste of the sort of guy he was.
I don't think he'd mind, but I have no way to find out.

I will mostly quote discussions on public mailing lists where I was involved, or directly with me, although there are a few snippets out of other discussions, which I believe are OKAY.

Kevin, you will be missed.

On a personal note, Kevin is the second person to be linked to me in a social network, whose profile is active, but is no longer there. These Empty Spaces, as a friend of mine described so well, are sad. Messages in the middle of threads no longer being there, tags disappearing out of photos, accounts which sleep, and yet are there.

Memories of Kevin
In response to an email thread about spam, I once saw him say the following:
"That there are people who forgive is good, because it gives people who spam a reason to stop.

"That there are people who don't forgive is also good, because it gives people who have never spammed a reason to not start."
-- der Mouse
Speaking of himself:

Subject: Who, me?
Was one of the people clogging the Usenet moderators list that Chris Lewis mentioned, circa 1998, when someone tipped me off that the spam discussion was taking place elsewhere. And so it was, and so it is.

I'm now somewhere in the gray area between self-employed and semi-retired.
First message sent to the SF-hackers mailing list (a mailing list for old computer geeks who are science fiction fans):
[SF-hackers] Who Goes There?
Kevin Martin
Sat Apr 14 19:49:42 CDT 2007

I suppose you're wondering why Gadi called you all here tonight.
You're welcome to blame me.

Gadi Evron wrote:

>> I am unsure, but I think I never read anything with [John W.
>> Campbell's] name on it... what a shock.

To which I replied:

Okay... Have you ever read anything by Isaac Asimov, Robert A. Heinlein, or Spider Robinson? Lester Del Rey? Theodore Sturgeon?
A. E. van Vogt?

We were speaking of the best-known story by John W. Campbell the author, but he's much better known as the editor who discovered, polished, and published just about every well-known science fiction author of the forties, fifties, sixties, and early seventies.

If you like any of those, they're Campbell, one step removed.

... and things just sort of got out of hand. Enjoy.
Speaking of blog comment spam:
> Is there some other software I should be looking at?

The Akismet plugin for Wordpress has been kicking butt and taking names since I turned it on. It only asks me to intervene if it's not sure, which has been twice so far. When I log in, there's a cheerful little note waiting for me:

"Akismet has caught 200 spam for you since you first installed it.
You have no spam currently in the queue. Must be your lucky day. :)"
Random quote:
And of course if you were to go proactive about warning your customers, you'd probably get sued.
On Spider Robinson and his parody of Johnny Cash's song "A Boy Named Sue", from SF-hackers:
> Dianetics/Scientology was L. Ron Hubbard, not Campbell.

Actually, JWC was a big supporter of Elron, embarrassingly so;
Wikipedia has the whole sordid tale.

Spider is most definitely a 'he', as he makes clear in his tribute
to Shel Silverstein, "A Boy Named Spider."

"Some girl would giggle and I'd get flustered,
Then smack her in the face with a coconut custard
(Though later on I'd try to get inside her...)"

Unlike the boy named Sue, who was given a name that would make him "tough" in "a world that's rough," the youth in Spider's parody is the son of an aging hippie who wanted him to stay "hip" 'cause "this world's a trip."
<voice class="Kosh">'Yes.'</voice>
On trust in leaky mailing lists:
Gadi Evron wrote:
> I made it clear [] is not a trust environment but rather a friends
> environment, with some very weird uncles.

Been waiting for someone to *ahem* comment on this remark.

We have had Threads That Will Not Die about "leaks," Andy, but please be aware that the policy of the list remains that A) you are here as an individual first, rather than a representative of any organization, and B) unless a poster waives it regarding a specific message, the default here is supposed to be "Fight Club"-style confidentiality.

Perhaps "trust environment" is a term of art that means something special to you, Andy, or to you, Gadi; the fact we weren't individually vetted by the Mossad doesn't keep me from trusting the folks here, or feeling upset at the prospect of that trust being casually betrayed.
On email practices:
+1 on the EVIL of giving one's passwords to random third parties. That needs to suffer a Firestorm of Withering Scorn whenever it pops up.
On adding new folks to a mailing list:
Private contact only, but I can ask...
Should I bring one of them to []?

If it's someone you'd trust to load magazines for your Galil.
Subject: Forum post: "Getting owned by spamhaus..."
A"naive user" story to share. The good news is that more than one
person on the board piped up with the correct answer, which I find
encouraging. You might want to skip to the punchline below.


Anyone know how the hell to fix this?

Spamhaus is flagging the ip's for any email sent on the company emails.

[snip text]

And now Outlook is going all JH1 on me and smtp relays
are not working for any accounts.

On another note, how the hell did I become an IT guy? I have been
hitting the computer with a pipe wrench and that doesn't seem to help.

End Quote.

The punchline? /This is on a weight-lifting/body builders board./
Sad, but happy to remember,
Gadi Evron.

Follow me on twitter! http://twitter.com/gadievron

Wednesday, September 03, 2008

Hiring people and how communities run

This post by one Seth Godin speaks for itself, and is fascinating. The guy wanted to find out who to hire out of all the "PDFs". So, he put all the internship candidates on a Facebook group, and watched. He quickly saw four types of participants.
  • The game-show contestants, quick on the trigger, who were searching for a quick yes or no. Most of them left.
  • The lurkers. They were there, but we couldn't tell.
  • The followers. They waited for someone to tell them what to do.
  • The leaders. A few started conversations, directed initiatives and got to work.
Having had almost too much experience in getting projects running, making things happen, working to bridge big egos, building communities and forming new trends--or in other words, Herding Cats (TM)--I was hooked. it's not often I find another "campaign manager", and especially not a student of "affecting change".

I kept wishing the guy shared more information and some of his insight. He didn't, but it was still interesting.

Adjacent subjects hinted to in his post such as learning, hiring and mentoring are almost as interesting to me, and in general, I found the subject matter close to heart. The post really "spoke" to me.

The world is full of followers, and this idea will be copied. My fear is that the fakers will become the winners.

In the Israeli military any course you go through--especially officers' course--has occasional Psychometric tests where your friends "rate" you on different attributes. [*opinion* most of] The people who get the high scores are the fakers. That means you get smart people, but also poor actors (not too much acting required).

Looking at the huge industry preparing people for anything from the SATs to professional certifications, I can visualize how this methods could become [as] useless.

On the other hand, human nature has a way of coming through in the end. And, of course, in business--if the fakers "get the results" it doesn't really matter.

Gadi Evron,

Follow me on twitter! http://twitter.com/gadievron

Tuesday, September 02, 2008

Would someone create pyFox already?

In the reverse engineering world IDA Python changed how people do things. Instead of wasting an hour of "monkey" labor on a repetitive task you could now write a Python script one-liner, or even load a script.

You could change variable names everywhere at once (even in comments), and do much more complicated things if you put your mind to it.

Firefox allows for people to build plugins, which is very useful. Using these plugins you can control what web pages look like and even Firefox itself (configuration). You can change text, images and scripts, pick an object, change encoding or even sort through Cookies.

Why not combine the two ideas?

pyFox would let you run command-line Python scripts from within Firefox. You could choose and manipulate objects, change the web page, search it for regular expressions, make it all in CAPITAL LETTERS or filter it for vulnerabilities.

On the other end you could load a script to manipulate cookies for a different expiration date, download a web page every five minutes to compare for changes or even harvest Google for a keyword, explore recursively on-the-fly, and see what you find.

The sky is the limit, and Python is the tool.

People have been using the web for everything ("everything over HTTP") since the last century, and creating entire projects utilizing browsers and HTTP. Why not bring this experience (which by the way, has been a security nightmare) and POWER to the hands of the end user?

Some folks referred me to a plugin called Greasemonkey which allows some web page manipulation using Javascript. And...

Very recently Ubiquity was released, allowing SOME of the functionality, connecting the symbols, etc. but at a very early stage:

So, any volunteers to create pyFox?

navtej shared the following URLs in a comment:

Gadi Evron,

Follow me on twitter! http://twitter.com/gadievron

Monday, September 01, 2008

Logical fallacies and rationalizations

Recently I formalized some thoughts on the subject rationalizations people use and excuses they invent. More specifically my goal was to come up with a list of low-level basic rationalizations used when they are shown something they believe in to be false (a failed psychic, cult divination gone wrong, etc.).

These are thoughts underlining possible basic components, not a thesis.

The point behind this exercise is not to psychologically explain why people react this way, but to find the similarities and trends in logically false and vague/impossible to prove generalist statements (meaning irrefutable statements) people use at such times.

I started off with the following list, and emailed it to the skeptics mailing list for input:
  1. X is just testing our faith
  2. It is us who misunderstood the meaning
  3. We did get Y as X saw fit, it's just that X doesn't cater to our wants
  4. We have done something to anger X
  5. We have not been worthy enough
  6. Z has not been worthy and ruined it for the rest of us
  7. Humans are fallible/one can't always be right/X is off his/her game
Karen Daskawicz, a skeptics contributor shared a similar automatic response some folks use, but not immediately related to what I was seeking. Further, she concentrated more on religion vs. science which was not what I was looking for. Still, it was interesting:
I'm not sure if this is the sort of thing you're looking for, but one that I've heard a lot:

"Science doesn't know everything."
or (variation)
"Science has been wrong before."

[I cut her explanation of why this is a logical fallacy from this post, but it is available online]
Larry Huntley responded:
While I don't disagree with what you say here, it looks like the OP was looking more for rationalizations/reasons that people of faith would use when asked questions like "Why did allow your partner to die of Alzheimer's? You were both very religious; surely you prayed to him to make her well, didn't you?" and "Why was almost the entire congregation of the church wiped out by lightning strikes during the ice cream social Sunday night?" or "Why were all our mud-brick pyramids destroyed by flooding?"
Moving away from religion, which is not different than any other aspect of human life in having some less than intelligent followers in the mix of its members (and, yes, sometimes uses such tricks to convince the masses to convert), Wally Anglesea brought us back on track:
Well, speaking from contact from ex-cult members of my local doomsday cult,

Many have expressed the belief that "he was genuine when we were in (including receiving messages from heaven), but at sometime during the period, he went wrong, and the messages were coming from the other place.

Weird, I know, but it's how they rationalise their original positions.
At this point I was able to see some underline concepts behind the different rationalizations. While imperfect, the following cover most of these:
  1. Blaming self (wasn't worthy, angered X, blind to it, etc.)
  2. Blaming others (weren't worthy, angered X, bling to it, etc.)
  3. Claims of misunderstanding (did in fact happen, works in mysterious ways, power temporarily off, date/meaning was mis-interpreted, etc.)
Some rationalizations seem to combine several of these.

Thoughts anyone?
Can you think of any other rationalization I skipped or basic components I missed?

Gadi Evron,

Follow me on twitter! http://twitter.com/gadievron