The IBM Thinkpad I bought for Grace last year is back in the shop for the second time with a broken screen. The guy says he gets this a lot. What's worse, is the supposed 'gold' level service that I shelled out extra $$$ is not doing much good - it's going to be another "3-5 days", after it has already been 5 days.

Grace has papers and drawings to do and no computer to do them on and this is exactly the kind of bullshit I knew we were going to get when I reluctantly bought that PoS.

</rant>

The only ray of hope is that VirtualPC will be fast enough on the Intel Macs to run Autocad and the like - then this problem just goes away.

I've been playing digital vigilante for the past couple of days. It occurred to me that phishing scams are far more vulnerable to counterattacks than traditional spammers. Phishers are soliciting input online, so why not give them what they want? Lots and lots of what they want.

It should be pretty easy to flood them with form postings full of obscenities. Or better yet, flood them with bogus names and credit card numbers that are indistinguishable from the few real ones they get. If done properly, this would force them to sift through thousands of bogus credit card and social security numbers just to find a single stolen identity.

This seems like a pretty obvious idea, but I was surprised to see that a quick google search did not turn up much discussion about it. There are lots of consortiums and working groups trying to come up with passive, technological defenses against phishing. That's all well and good, but I decided I wanted to take a crack at a more direct approach.

The Attack Begins

I chose to use Python for this since it seems like a pretty good language for this kind of thing. I also don't know Python, so at the very least it would be an educational experience. I also decided that obscenities are easier to code (as well as more fun). So, I made it my first goal to learn enough Python to write a simple script that repeatedly POSTs the personal information of a "Mr. Fuck You" including his account information at the "Bank of Fuck" and so forth. I figured this would at least annoy them, though it would probably have little practical effect, since it would be easy enough to filter. So, I wrote my script and started it running against a phisher that recently sent me an email.

Interestingly, it seemed to elicit a response from them fairly quickly. After a few hundred iterations, I started getting connection timeouts. I presume they blocked my IP, because when I moved to an anonymous proxy server things started working again. That is, until about 10 minutes later when it seems they blocked that one as well.

I then downloaded a big list of anonymous proxy servers and modified my script to cycle through them. This seemed to do the trick as I was able to run several thousand iterations. But then I started getting 404s; they had rearranged their website so that the form POSTed to 'update2.php' instead of 'update.php.' My script isn't yet smart enough to figure this out, so I manually tweaked it to POST to the new page. A few more hundred successful iterations, then more 404s - they had moved it to update2345.php. Lather, rinse, repeat.

Success?

I soon grew weary of this game and gave up on it for a couple of days. However, before I went to sleep last night, I started it running again. The phishers seemed to be asleep as well because this time they deployed no countermeasures. Looking at my logs, it seems that their site went completely dark at about 3am, after about 20,000 posts. I'm happy to say it is still down as I write this. Am I responsible? It's impossible to know, but I like to think so.

Next Steps

I'm now working on a toolkit that will generate random valid names, addresses, phone numbers, credit cards, social security numbers and so forth. I want to be able to swamp these guys with bogus responses that are indistinguishable from the genuine article. I also need to make the tool smart enough to analyze the input page so that it can adapt automatically to simple rearrange-the-website defenses.

Ideally, I'd also like to be able to more quickly generate new attack scripts for a phishing sites - there is no shortage of targets out there.

Oakland A's radio announcer Bill King has died. I get most of my baseball over the radio, and most of it has been called by Bill King. I feel like I've lost a friend.

A Deerhoof is a hovercraft that wrenches and lurches down the road with blown gasksets and thrown rods and no problem because it's being driven by transdimensional elves. Last night, I finally saw it drive through the Great American after 2+ years of their-CDs-are-amazing-and-I-am-meaning-to-go-see-them lameness.

I was not disappointed; it truly was the most amazing show I've seen in years.

An amusing note about the upcoming Edward R. Murrow biopic:

They opted to use archive footage of Joseph McCarthy instead of using an actor to portray the senator. Clooney had said that when the movie had undergone test screenings, audience members felt that the McCarthy character was overacting a bit, not realizing that it was the actual McCarthy through archive footage.

I just finished putting a freeze on my credit files as a protection against Identity Theft. I have to say I feel a lot better.

The idea is that I've locked my files at the big-three credit reporting agencies so they cannot be viewed by anyone unless explicitly authorized by me. This effectively prevents anyone else from opening new lines of credit in my name, which is the big thing to worry about with ID theft.

Setting this up was inexpensive, but it wasn't free, and it's going to be a minor pain in the ass if I ever want to get a loan or a new credit card. I got to wondering whether it was actually worth it from a risk/reward perspective.

Odds of falling victim to ID Theft: 1%

• Estimated number of Americans victimized by identity theft in 2004: 9,000,000
• Estimated number of Americans: 300,000,000

So that's a 3% chance/year. I'm going to bump it down to 1% because

• I imagine many of those cases are relatively minor
• I'm probably more careful with my info than many people
• I want to be conservative in my estimates.

Estimated time spent in recovery: 100 hours

This is an estimate of the amount of time I'm likely to have to spend restoring my good credit once a thief gets a hold of it. Early surveys put the number at about 80 hours; more recent surveys put it at 500 hours or more. Again, I'll be conservative and say 100 hours.

Value of time spent in recovery: $200/hour

How much would I have to be paid to endure the Kafkaesque experience of restoring my good name? It makes me ill to even think about it. $200/hour is definitely conservative.

Total cost of having identity stolen: $20,000

I'm not going to factor in net out-of-pocket expenses. I've read estimates ranging from $50-$2500 - negligible compared to the lost time. This gives me a conservative estimate that it will cost me $20k to have my identity stolen.

So, in a given year, there is a 1% chance that I will have to pay $20k. If I do the a security freeze, there is 1% chance that it will save me $20k. The security freeze is effectively paying me $20k with 1/100 odds.

Cost to play: $100

Not very good odds, but what does it cost to bet? Turns out, not very much. In California, you can freeze your credit report for a total of $30, plus some photocopying, stamps, and a little bit of time. Call it $50. It also costs about this much to temporarily unfreeze your reports when you need to get a new credit card or something. All told, lets call it $100/year - again, very conservative.

Conclusion: Security Freeze is a Smart Bet

So, the pot is paying 200:1 ($20,000/$100) but we are only a 100:1 underdog to win. Clearly, the security freeze is a good bet, paying 2x. And again, this based on very conservative estimates; I think it could easily be paying 4x or 8x.

Moreover, there's also the intangible satisfaction I'm getting from denying a bit of revenue to the credit reporting bureaus. These guys make insane amounts of money selling our information to banks and other would-be creditors. Not only do they not share that revenue with you, but they actually pass the costs of protecting yourself against ID theft on to us - an absolutely ridiculous state of affairs. As far as I'm concerned, sticking it to the bastards at Equifax, TransUnion, and Experian, even in a small way, is worth the price of entry by itself.

In any event, until we have national representatives who have the backbone to fix the problem, you're best off putting your money on the security freeze.

For more information on freezing your report in California, go to http://www.privacy.ca.gov/sheets/cis10securityfreeze.htm .

Article in NYT today cites faux-u-pick-pumpkin patches as examples of agritainment. I think this is going to displace greenwashing as best neologism of 2005.

I've been reading Creating Passionate Users for a couple months now. I know everyone loves it, but honestly, I'm starting to have a hard time seeing why. I like her writing style and the graphics, but the content is a bit too romper room for me. What I've learned from reading:

• care about your user (duh)
• nurture your inner child (please)
• nurture your colleagues' inner children (ugh)

Her most recent entry, Death by Devil's Advocate, argues the last point. The article basically says that mean people take on the guise of devil's advocate in order to destroy valuable ideas in their infancy, and that that's a bad thing.

It's not a bad thing; it's an absolutely necessary thing. Everyone has stupid ideas, even very smart people. Those ideas need to be criticized quickly and efficiently. This isn't to say you should be uncivil; it can be done respectfully and productively. Truly good and viable ideas will survive this criticism.

CPU's Barney-the-Dinosaur approach to idea processing is not just infantilizing, it's actually harmful. If you sit around and gladhand your colleagues about the potential of every random ill-formed-but-possibly-world-changing notion that pops out of their head, you're never going to get anything done. And if you can't get anything done, the greatest idea in the world is useless.

Yesterday, I stumbled across a really great shareware game called Pax Galaxia. It's a fast-paced, abstract, conquest-type strategy game. Think 'Risk' on speed. Very addictive.

It has a really clever UI that minimizes micromanagement. No more clicking all over the map to 'fortify' your territories; it's all happens automatically. The presenation is very simple but very well done. Well worth the $20 registration fee.

As the game industry becomes more and more blockbuster hit-driven, it's refreshing to see that creative folks are still creating simple and engaging games.