LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Announcements
->One big page
This page
Previous weekFollowing week
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SecurityA decline in email spam?One of the biggest internet irritants over the last decade or two clearly has to be email spam. It has collectively taken billions of hours of users' time to deal with, consumed countless terabytes of wasted disk space, burned bandwidth better spent on kitten videos, and used up vast quantities of developer time to come up with new ways to filter it out or come up with other technological fixes. So, recent reports that email spam is in decline are certainly welcome, if true, but even with the 90% decline over the last year that is being reported, the amount of spam being sent is still staggering—and likely to be with us for a long time to come. I haven't heard friends and colleagues extolling a reduction in the amount of spam they receive but, as they say, the plural of anecdote is not data. One would think that such a precipitous drop would be noticed by email users, however. In any case, Cisco, Symantec, and others are reporting numbers like 34 billion spam emails per day for April, down from 300 billion in mid-2010. That's an enormous drop in the volume, even if 34 billion a day is still huge. Without any hard data to the contrary, some significant drop-off in spam volume is a reasonable conclusion—and one worth exploring a little bit. Spam has always been driven by its economics. In the early days, it cost almost nothing to send out huge volumes of email, and the chances of getting caught and meaningfully punished were quite small. That led to various "spam kings" who made outrageous amounts of money by spamming the world. If sending spam is, for all intents and purposes, free, you don't need a very high response rate to the pitch in order to bring in substantial sums. But that led to a backlash. Users quickly tired of digging through email that was 90-100% spam, ISPs got smarter about not allowing their systems to be used for spam transmission, and, eventually, governments decided to ramp up the punishment side of the equation. Spam filtering became ubiquitous, blacklists that identified sites sending spam started to pop up, prosecutions of those sending spam were successful to some extent, and so on. The cost of sending spam has risen substantially over the years. That's not to say that there aren't some folks still making lots of money sending spam, but these days there are bigger phish (so to speak) to fry. The most lucrative schemes today don't rely on sending enormous volumes of email and are more targeted instead. It would be nice to think that users are getting a bit more sophisticated—or just running out of body parts to enlarge. It's hard to say whether that's true or not, but, even with the growth in new internet users, one might hope that the negative publicity about internet scams is making users more wary. Unfortunately, one doesn't have to search very far to find a news item about someone taken in by email claiming to be from a foreigner who wants to send them "EIGHT BILLION DOLLARS". So, it's probably overoptimistic to attribute much of the spam volume drop to users being less likely to respond to the pitch. Filtering has certainly gotten better over the years, and moved from something users had to fiddle with to "the cloud" (or at least their ISP). Spammers have routinely run their emails through tools like SpamAssassin to try to evade filters, but there are limits to that approach, especially when individual Bayesian filters are factored in. It's difficult for even gullible users to respond to a spam pitch they don't see, so filtering has likely done much to reduce the effectiveness of spam. Another factor that may be at play here is that many folks have moved beyond email for much or all of their communication. Text messages, instant messaging, and the services provided by various walled gardens (e.g. Facebook, Twitter) have replaced email for a lot of people, especially those darn kids, these days. Spam has, of course, evolved to assail those media as well. That kind of spam is not reflected in these recent statistics, however. So, while it is somewhat heartening to hear that some folks are probably receiving less email spam, it's unlikely that it's really going to change things for most people. Users will still need filtering, ISPs and governments will still need to be vigilant, and clicking on links in dodgy email will still be a bad idea. While likely mind-numbing, seven days of reading all the email you receive might also prove somewhat eye-opening. Like it or not, spam has become part of our culture. From the origin of the "spam" name to the various terms for different kinds of spam (419 spam, phishing, etc.), spam has used and been used by internet culture. Over the years, various folks have imagined horrible demises for spammers—e.g. Rule 34—usually involving the products they pitch in some bizarre fashion. So, at least we can get a chuckle from spam now and again, even as it is an extremely annoying—sometimes dangerous—phenomenon. In fact, it would be nice if junk (snail) mail filters were even half as good as email filters are these days.
Brief items Security quotes of the week
The researchers tallied the losses from fake AV [anti-virus] victims of the
three operations: One firm's victims lost $11 million; the second, $5
million; and the third, $116.9 million. That meant about $45 million per
year in income for AV1, $3.8 million for AV2, and $48.4 million for
AV3. The AV operators charged their victims $49.95 to 69.95 for six-month
licenses, and $79.95 to $89.95 for lifetime licenses.
-- Dark
Reading on a report
[PDF] on fake anti-virus companies
You are supposed to be protecting us, but at this point you are ...
terrorizing us. You have arbitrary and capricious rules that you apply
without the aid of common sense. I mean where did TSA officials get their
training, Abu Ghraib?
-- Elie
Mystal
People get USB sticks all the time. The problem isn't that people are
idiots, that they should know that a USB stick found on the street is
automatically bad and a USB stick given away at a trade show is
automatically good. The problem is that the OS trusts random USB
sticks. The problem is that the OS will automatically run a program that
can install malware from a USB stick. The problem is that it isn't safe to
plug a USB stick into a computer.
-- Bruce
Schneier
Quit blaming the victim. They're just trying to get by.
The ongoing WikiLeaks fight is a wake-up call for anyone who's been
blithely relying on the cloud. It only took a few days for WikiLeaks to
become a digital refugee, slogging from one service provider to the next,
trying to find someone with enough backbone to keep it online in the face
of legal threats, political intervention, and mysterious traffic-floods
from persons or governments unknown.
-- Cory
Doctorow
Vsftpd backdoor discovered in source code (The H)The H reports that the vsftpd download site has been compromised and version 2.3.4 contains a back door. "The bad tarball included a backdoor in the code which would respond to a user logging in with a user name ':)' by listening on port 6200 for a connection and launching a shell when someone connects." Anybody who downloaded and installed that version should be looking to replace it quickly.
Top 25 Most Dangerous Software ErrorsEach year, the SANS Institute and MITRE's Common Weakness Evaluation (CWE) project team up to create a list of the most dangerous software errors. The 2011 edition has just been released with SQL injection followed by OS command injection topping the list. "The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software."
New vulnerabilities bind: denial of service
dokuwiki: cross-site scripting
feh: arbitrary file overwrite
krb5-appl: privilege escalation
lftp: man-in-the-middle vulnerability
libvoikko: denial of service
NetworkManager: privilege escalation
nfs-utils: authentication bypass
OpenSSH: private key disclosure
packagekit: incorrect package signature check
php: arbitrary file creation/overwrite
qemu-kvm: arbitrary code execution
qemu-kvm: privilege escalation
rubygem-activesupport: cross-site scripting
syslog-ng: denial of service
tftp: buffer overflow
weechat: man-in-the-middle attack
wordpress: privilege escalation
xen: privilege escalation
Page editor: Jake Edge |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||